search

tomwwright / littleorange

Minimalist AWS multi-account cloud leveraging CloudFormation and Lambda.
GNU General Public License v3.0
4 stars 1 forks source link

Resource Provider CodeBuild projects use permissive role #2

Open tomwwright opened 4 years ago

tomwwright commented 4 years ago

The CloudFormation CLI deploys a CloudFormationManagedUploadInfrastructure stack during cfn submit to handle uploading the handlers package. It also deploys a stack for the resource provider's execution role.

To cater for this functionality, the CodeBuild role for deploying a resource provider has an overly permissive policy:

...
- PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Action:
          - cloudformation:*
          - iam:*
          - kms:*
          - s3:*
        Effect: "Allow"
        Resource: "*"
  PolicyName: CloudFormationManagedUploadInfrastructure