github-actions[bot]
commented
2 days ago Community Note
Voting for Prioritization
- Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
- Please see our prioritization guide for information on how we prioritize.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
For Submitters
- Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
- For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
- Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.
jar-b
Description
The current example of an AWS Backup vault policy allows any user to put a new policy (since it uses Principal "*"). Therefore deploying the provided example would allow anyone to replace this policy with one in which they had full control over the backup vault. This would include taking copies of the data in there or deleting snapshots.
AWS "strongly recommend that you do not use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect". Following this, this PR replaces the Principal with the account id, therefore giving this power only to roles already within this account, which is much less dangerous.
Relations
None
References
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous