awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
562 stars 448 forks source link

AWS LZA - Premade Roles have inline policies that allow decryption actions on all KMS keys and do not prevent against a cross-service confused deputy attack #621

Open ella-jackson-kainos opened 4 weeks ago

ella-jackson-kainos commented 4 weeks ago

I am currently working on an issue within my AWS account that uses LZA, it seems that the service roles that were implemented by LZA have some issues;

Is anyone else having these issues? Is there a plan to fix these?