SQS IAM role generation does not follow the principle of least privilege

aws / chalice

Python Serverless Microframework for AWS

Apache License 2.0

10.66k stars 1.01k forks source link

SQS IAM role generation does not follow the principle of least privilege #1565

Open czieglerAC opened 4 years ago

czieglerAC commented 4 years ago

Automatic generation of IAM roles for an app that subscribes to an SQS queue will give the lambda permission to read and write to all SQS queues on the account.

Shouldn't the lambda only be given permission to read from the queue(s) passed to @app.on_sqs_message?

jamesls commented 3 years ago

Yes, we should be able to update this to only allow permission to the specific queue.