61 lines
1.2 KiB
Plaintext
61 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
The wildcard `"*"` is specified as the resource for this `PolicyStatement`. This grants the update permission for all policies of the account:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
|
|
|
|
PolicyDocument(
|
|
statements=[
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions="iam:CreatePolicyVersion",
|
|
resources=["*"] # Sensitive
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Restrict the update permission to the appropriate subset of policies:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import Aws
|
|
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
|
|
|
|
PolicyDocument(
|
|
statements=[
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions="iam:CreatePolicyVersion",
|
|
resources=[f"arn:aws:iam::{Aws.ACCOUNT_ID}:policy/team1/*"]
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|