Remove `*` resource configuration for role policy

sbstjn / serverless-dynamodb-autoscaling

Serverless Plugin for Amazon DynamoDB Auto Scaling configuration.

https://sbstjn.com/serverless-dynamodb-auto-scaling-with-cloudformation.html

MIT License

148 stars 27 forks source link

Remove `*` resource configuration for role policy #1

Closed sbstjn closed 7 years ago

sbstjn commented 7 years ago

The permissions for the created role must have a restricted access policy. The current implementation should not be used in production environments.

  'Statement': [
    {
      'Effect': 'Allow',
      'Action': [
        'dynamodb:DescribeTable',
        'dynamodb:UpdateTable',
        'cloudwatch:PutMetricAlarm',
        'cloudwatch:DescribeAlarms',
        'cloudwatch:DeleteAlarms',
        'cloudwatch:GetMetricStatistics',
        'cloudwatch:SetAlarmState'
      ],
      'Resource': '*'
    }
  ]

sbstjn commented 7 years ago

A first step to a more secure solution would be at least a policy bound to the account and table name:

{
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable"
            ],
            "Resource": "arn:aws:dynamodb:*:AccountID:table/TableName",
            "Effect": "Allow"
        }

sbstjn commented 7 years ago

Included in the 0.1.1 release.