Closed gene1wood closed 5 years ago
These can and probably should be expanded to wildcards with prefixs for each of these products
Since Security Monkey uses this role, it would be good to review and diff the current permissions : https://github.com/Netflix/security_monkey/blob/develop/docs/iam_aws.md#creating-securitymonkey-role
The permissions present in the Security Monkey role that we would be missing after adding the items above are
The permission that is present in the Security Monkey role that we don't want is
We should also add
When attempting to figure out if a Lambda function in a foreign account is the cause of an issue, I found we don't have rights to look at lambda functions are are specifically missing
lambda:GetAccountSettings
.Should we have any read permissions in lambda via security auditing roles?
If so what should or shouldn't we have?
cc @andrewkrug
Additionally we should add more permissions with the
route53
product as that is also difficult to audit.