Suggesting ViewOnlyAccess instead of ReadOnlyAccess

[armarquez]

Given that tool documentation on README has changed from the provided AWS Policy document (default.json) to suggesting the use of AWS provided Managed Policies, I am wondering if all the permissions associated with the ReadOnlyAccess policy are necessary. Would it be possible to run the tool with the ViewOnlyAccess policy and the SecurityAudit policy?

It has been noted in other projects (https://github.com/traveloka/terraform-aws-common-iam-roles/issues/4) that using ReadOnlyAccess is insecure due to the number of permissions it provides. I think it also makes it easier to ask Cloud Admins to provide the lesser of the 2 permissions when performing a security review.

I am only suggesting this change if it doesn't break the tool, which I don't know if it does.

Other reference: https://forums.aws.amazon.com/thread.jspa?threadID=246565

[x4v13r64]

Yes, the permissions associated with ReadOnlyAccess are necessary. While ViewOnlyAccess will allow listing a number of resources, it won't allow accessing details/configuration for a number of resources (as detailed in the second link you posted).

I don't really see how ReadOnlyAccess is insecure, as it doesn't allow making any modifications to the AWS account. It does provide read access on a number of services, but that is the intended use case for the tool.