48 lines
976 B
Plaintext
48 lines
976 B
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
A customer-managed policy that grants all permissions by using the wildcard (*) in the ``++Action++`` property:
|
||
|
|
|
||
|
|
[source,javascript]
|
||
|
|
----
|
||
|
|
import { aws_iam as iam } from 'aws-cdk-lib'
|
||
|
|
|
||
|
|
new iam.PolicyStatement({
|
||
|
|
effect: iam.Effect.ALLOW,
|
||
|
|
actions: ["*"], // Sensitive
|
||
|
|
resources: ["arn:aws:iam:::user/*"],
|
||
|
|
})
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
A customer-managed policy that grants only the required permissions:
|
||
|
|
|
||
|
|
[source,javascript]
|
||
|
|
----
|
||
|
|
import { aws_iam as iam } from 'aws-cdk-lib'
|
||
|
|
|
||
|
|
new iam.PolicyStatement({
|
||
|
|
effect: iam.Effect.ALLOW,
|
||
|
|
actions: ["iam:GetAccountSummary"],
|
||
|
|
resources: ["arn:aws:iam:::user/*"],
|
||
|
|
})
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|
||
|
|
ifdef::env-github,rspecator-view[]
|
||
|
|
|
||
|
|
'''
|
||
|
|
== Implementation Specification
|
||
|
|
(visible only on this page)
|
||
|
|
|
||
|
|
include::../message.adoc[]
|
||
|
|
|
||
|
|
include::../highlighting.adoc[]
|
||
|
|
|
||
|
|
endif::env-github,rspecator-view[]
|