Bidirectionally restrictive permissions #50
Comments
|
I do have a use case for it right now, which is secrets--definitely only want those to be readable by designated users. |
|
I wonder if it's better to strip resource policies out right now, release without them, and tighten up later as people ask for it? |
|
This also ties into meeting compliance requirements for service teams/enterprises: customer data should never be accessible by humans, and it's very likely that humans have role access to the account, potentially with ":" policies attached to the role. Maybe the solution is that we have a boolean to mark certain resources |
|
To make matters worse, IAM policies don't even work how I thought they worked :( |
|
I think the logic will have to be:
|
|
Soo... S3 policies are definitely additive (as in, you can do the action as long as either the resource policy or IAM policy gives you the permission), but KMS policies seem not to be? I have an identity that has |
|
I guess this makes sense for KMS and it appears to be documented (https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html) but we now have to contend with that IAM evaluation rules might be different for different resources. |
SomayaB
added
@aws-cdk/aws-iam
|
@rix0rrr This is from 2018. Is it still relevant or can we close it? |
SomayaB
added
the
closing-soon
|
Mmyeah, let's close it. |
Let's reopen the discussion!
In some cases, bidirectional permissions are redundant (S3) but in others they are required (KMS).
Do we have to inventarize? At least we have to revisit our generic strategy.
The text was updated successfully, but these errors were encountered: