search

aws-samples / aws-serverless-workshop-innovator-island

Welcome to the Innovator Island serverless workshop! This repo contains all the instructions and code you need to complete the workshop.
MIT No Attribution
564 stars 228 forks source link

Step 5 - IAM least privileges for Kinesis Firehose #45

Closed alexcasalboni closed 3 years ago

alexcasalboni commented 4 years ago

The simular app includes this policy:

- Statement:
    - Effect: Allow
       Resource: '*'
       Action:
          - firehose:PutRecordBatch

Since we've just created the Kinesis Firehose Delivery Stream, it'd be pretty straightforward to show customers how to update this policy with the Delivery Stream ID (instead of Resource: '*'), using the StreamName CloudFormation parameter.

Or we could at least limit the policy to that specific stream name in all regions:

Resource: !Sub arn:aws:firehose:*:*:deliverystream/${StreamName}
jbesw commented 3 years ago

This has been addressed in today's commit. The ARN is now passed as parameter to SAM during deployment. https://github.com/aws-samples/aws-serverless-workshop-innovator-island/blob/main/5-park-stats/2-simulator/README.md