Closed internetstaff closed 2 years ago
bryantbiggs
commented
3 years ago I'm not saying there isn't room for improvement, but typically KMS keys set a resource policy which dictates who can do what with the key, while this statement here just states that the IAM role is allowed to make kms API calls - it would be up to the key resource policy to determine if the request should succeed or fail
github-actions[bot]
commented
2 years ago This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
github-actions[bot]
commented
2 years ago This issue was automatically closed because of stale in 10 days
github-actions[bot]
commented
2 years ago I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
The change here:
https://github.com/clowdhaus/terraform-aws-datadog-forwarders/commit/851257b02fc4be76236d5b5b48e3c8cf9b703098
... seems to grant the lambdas permission to kms:Decrypt on any KMS key, which seems bad from a security perspective?
Thanks!