fix(sqs): remove 'Batch' permissions (#2806)

Batch permissions are automatically implied when given regular API call permissions. For example, giving IAM permissions to `sqs:SendMessage` gives permission to call both `SendMessage` and `SendMessageBatch`. Fixes #2381.
aws · Jun 11, 2019 · 654cb37 · 654cb37
1 parent 9ce37e1
commit 654cb37
Show file tree

Hide file tree

Showing 8 changed files with 2 additions and 27 deletions.
diff --git a/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json b/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json
@@ -29,7 +29,6 @@
             {
               "Action": [
                 "sqs:SendMessage",
-                "sqs:SendMessageBatch",
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],
@@ -75,4 +74,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts b/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts
@@ -22,7 +22,6 @@ test('sns topic as an event rule target', () => {
         {
           Action: [
             "sqs:SendMessage",
-            "sqs:SendMessageBatch",
             "sqs:GetQueueAttributes",
             "sqs:GetQueueUrl"
           ],
@@ -86,7 +85,6 @@ test('multiple uses of a queue as a target results in multi policy statement bec
         {
           Action: [
             "sqs:SendMessage",
-            "sqs:SendMessageBatch",
             "sqs:GetQueueAttributes",
             "sqs:GetQueueUrl"
           ],
@@ -112,7 +110,6 @@ test('multiple uses of a queue as a target results in multi policy statement bec
         {
           Action: [
             "sqs:SendMessage",
-            "sqs:SendMessageBatch",
             "sqs:GetQueueAttributes",
             "sqs:GetQueueUrl"
           ],

diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json
@@ -50,10 +50,8 @@
               "Action": [
                 "sqs:ReceiveMessage",
                 "sqs:ChangeMessageVisibility",
-                "sqs:ChangeMessageVisibilityBatch",
                 "sqs:GetQueueUrl",
                 "sqs:DeleteMessage",
-                "sqs:DeleteMessageBatch",
                 "sqs:GetQueueAttributes"
               ],
               "Effect": "Allow",

diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts
@@ -25,10 +25,8 @@ export = {
             "Action": [
               "sqs:ReceiveMessage",
               "sqs:ChangeMessageVisibility",
-              "sqs:ChangeMessageVisibilityBatch",
               "sqs:GetQueueUrl",
               "sqs:DeleteMessage",
-              "sqs:DeleteMessageBatch",
               "sqs:GetQueueAttributes"
             ],
             "Effect": "Allow",

diff --git a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts
@@ -19,7 +19,6 @@ test('queues can be used as destinations', () => {
         {
           Action: [
             "sqs:SendMessage",
-            "sqs:SendMessageBatch",
             "sqs:GetQueueAttributes",
             "sqs:GetQueueUrl"
           ],

diff --git a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json
@@ -61,7 +61,6 @@
             {
               "Action": [
                 "sqs:SendMessage",
-                "sqs:SendMessageBatch",
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],
@@ -99,7 +98,6 @@
             {
               "Action": [
                 "sqs:SendMessage",
-                "sqs:SendMessageBatch",
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],
@@ -390,7 +388,6 @@
             {
               "Action": [
                 "sqs:SendMessage",
-                "sqs:SendMessageBatch",
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],
@@ -436,4 +433,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-sqs/lib/queue-base.ts b/packages/@aws-cdk/aws-sqs/lib/queue-base.ts
@@ -42,10 +42,8 @@ export interface IQueue extends IResource {
    * This will grant the following permissions:
    *
    *   - sqs:ChangeMessageVisibility
-   *   - sqs:ChangeMessageVisibilityBatch
    *   - sqs:DeleteMessage
    *   - sqs:ReceiveMessage
-   *   - sqs:DeleteMessageBatch
    *   - sqs:GetQueueAttributes
    *   - sqs:GetQueueUrl
    *
@@ -59,7 +57,6 @@ export interface IQueue extends IResource {
    * This will grant the following permissions:
    *
    *  - sqs:SendMessage
-   *  - sqs:SendMessageBatch
    *  - sqs:GetQueueAttributes
    *  - sqs:GetQueueUrl
    *
@@ -147,10 +144,8 @@ export abstract class QueueBase extends Resource implements IQueue {
    * This will grant the following permissions:
    *
    *   - sqs:ChangeMessageVisibility
-   *   - sqs:ChangeMessageVisibilityBatch
    *   - sqs:DeleteMessage
    *   - sqs:ReceiveMessage
-   *   - sqs:DeleteMessageBatch
    *   - sqs:GetQueueAttributes
    *   - sqs:GetQueueUrl
    *
@@ -160,10 +155,8 @@ export abstract class QueueBase extends Resource implements IQueue {
     const ret = this.grant(grantee,
       'sqs:ReceiveMessage',
       'sqs:ChangeMessageVisibility',
-      'sqs:ChangeMessageVisibilityBatch',
       'sqs:GetQueueUrl',
       'sqs:DeleteMessage',
-      'sqs:DeleteMessageBatch',
       'sqs:GetQueueAttributes');
 
     if (this.encryptionMasterKey) {
@@ -179,7 +172,6 @@ export abstract class QueueBase extends Resource implements IQueue {
    * This will grant the following permissions:
    *
    *  - sqs:SendMessage
-   *  - sqs:SendMessageBatch
    *  - sqs:GetQueueAttributes
    *  - sqs:GetQueueUrl
    *
@@ -188,7 +180,6 @@ export abstract class QueueBase extends Resource implements IQueue {
   public grantSendMessages(grantee: iam.IGrantable) {
     const ret = this.grant(grantee,
       'sqs:SendMessage',
-      'sqs:SendMessageBatch',
       'sqs:GetQueueAttributes',
       'sqs:GetQueueUrl');
 

diff --git a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts
@@ -112,10 +112,8 @@ export = {
       testGrant((q, p) => q.grantConsumeMessages(p),
         'sqs:ReceiveMessage',
         'sqs:ChangeMessageVisibility',
-        'sqs:ChangeMessageVisibilityBatch',
         'sqs:GetQueueUrl',
         'sqs:DeleteMessage',
-        'sqs:DeleteMessageBatch',
         'sqs:GetQueueAttributes',
       );
       test.done();
@@ -124,7 +122,6 @@ export = {
     'grantSendMessages'(test: Test) {
       testGrant((q, p) => q.grantSendMessages(p),
         'sqs:SendMessage',
-        'sqs:SendMessageBatch',
         'sqs:GetQueueAttributes',
         'sqs:GetQueueUrl',
       );
@@ -250,7 +247,6 @@ export = {
             {
               "Action": [
                 "sqs:SendMessage",
-                "sqs:SendMessageBatch",
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],