You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is some pretty cool stuff going on with IAM policies but it's not explained anywhere. It's kind of cool that it just happens automatically but you definitely need a section on how it works.
Also, for the S3 example I noticed the policy just wildcards the resource. Is there anyway to figure out the actual bucket name being used and restrict the policy to just that resource?
Also, what are the limitations? What things aren't really detectable using this approach? For example, if my Lambda function has an SNS event source, I think it would be very difficult if not impossible to figure that out from the code.
The text was updated successfully, but these errors were encountered:
I agree. It would be nice if the policy generator could read a list of policy arns from the config file and append those to what it generates. That would enable incremental improvement in the generator while allowing folks to fulfill their needs until it's ready.
Resources are just always wildcard, this feature is not usable at that state. Could ask developer about this, getting parameters for function calls is not impossible.
# Probably impossible, but it would be nice
# to even keep track of what resources are used
# so we can create ARNs and further restrict the policies.
'Resource': ['*'],
There is some pretty cool stuff going on with IAM policies but it's not explained anywhere. It's kind of cool that it just happens automatically but you definitely need a section on how it works.
Also, for the S3 example I noticed the policy just wildcards the resource. Is there anyway to figure out the actual bucket name being used and restrict the policy to just that resource?
Also, what are the limitations? What things aren't really detectable using this approach? For example, if my Lambda function has an SNS event source, I think it would be very difficult if not impossible to figure that out from the code.
The text was updated successfully, but these errors were encountered: