Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
AWS: We should lock down the IAM policies (further) #11936
Not sure whether it's the only way, but the idea would be to do something like we do for S3, where we restrict access to certain buckets by name-prefix: https://github.com/GoogleCloudPlatform/kubernetes/blob/master/cluster/aws/templates/iam/kubernetes-master-policy.json
It looks like AWS expanded the list of "matchers" recently, so it might be we can match on tags or VPC also. This would be much cleaner, I think.
This was more a "we should think about locking the policy down a lot more" than "we have to use prefixes"! And that came out of the AWS doc I'm writing, which I've had a bunch of people bring up as something that needs improvement. I'm trying to make sure that the AWS doc links to issues wherever something isn't 100%.