48 lines
945 B
Plaintext
48 lines
945 B
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
A customer-managed policy that grants all permissions by using the wildcard (*) in the ``++Action++`` property:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk.aws_iam import PolicyStatement, Effect
|
|
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions=["*"], # Sensitive
|
|
resources=["arn:aws:iam:::user/*"]
|
|
)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
A customer-managed policy that grants only the required permissions:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk.aws_iam import PolicyStatement, Effect
|
|
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions=["iam:GetAccountSummary"],
|
|
resources=["arn:aws:iam:::user/*"]
|
|
)
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[] |