Create least privilege policy for CFN stacks without needing to deploy the stack first. #2240
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Name of the resource
AWS::IAM::Policy
Resource name
No response
Description
It is understood that to create a least privilege policy, it is recommended to deploy the CloudFormation stack with a role that has full administrator permissions in a testing environment and then use Access Analyzer to generate a fine-grained policy by observing the CloudTrail events to identify actions and services that have been used by the IAM role assumed by CloudFormation. Or AWS Athena can also be used to query CloudTrail logs and build a concise list of actions.
However having to do extra steps of first deploying the stack and then using access analyzer or deploy the stack and then use trial and error since not all errors are seen in Cloudtrail at one time, looking for a more efficient way eliminate the extra steps and the trial and error process to create least privilege policy. For example, like a way to scan the template and determine what permissions may be needed before deploying the stack.
Other Details
No response
The text was updated successfully, but these errors were encountered: