Open kaiyan-sheng opened 2 months ago
I had a look again to try to understand where these policies come from, and I believe it depends on the way we are deploying ESF.
So if we use the terraform files (private repo), we do not use managed policies like AWSLambdaSQSQueueExecutionRole, but instead grant the right permissions to the right resources. Exception is the use of policy AWSLambdaBasicExecutionRole. This would have to be changed as well.
For the publish script, you are already covering the cases in the changed file.
I don't think we are using managed policies anywhere else, but it is best to double check.
What does this PR do?
Elastic Serverless Forwarder Lambda Role uses the following AWS managed policies:
AWSLambdaSQSQueueExecutionRole AWSLambdaKinesisExecutionRole AWSLambdaBasicExecutionRole AWSLambdaVPCAccessExecutionRole
All the above roles have attached policies with wildcard Resource statements (i.e "Resource": "*"). In order to limit the resource here, I'm replacing these policies with custom policies.
Why is it important?
Security concern with IAM definition including too many wildcards. https://github.com/elastic/elastic-serverless-forwarder/issues/266
Checklist
CHANGELOG.md