Hello all. I'm trying to reduce the set of AWS per...
# helpe
Erik Robertson
12/20/2021, 9:04 AMHello all. I'm trying to reduce the set of AWS permissions given to the sst user and doing so using the policy generator to analyze what's being used. The one thing that troubles me is that SST seems to require things like iam:PutRolePolicy and iam:AttachRolePolicy and I believe I can't restrict the resources it needs that on since roles are being created for every lambda etc... Therefore I imagine that if that user gets breached then someone ill-intended could escalate their own privileges.
Any recommendations or documented approach to best handling the policy given to the SST user ?
f
Frank
12/20/2021, 9:18 AM
Hey @Erik Robertson, if you go into CloudTrail, can you check who is making the
iam:PutRolePolicyiam:AttachRolePolicyFrank
12/20/2021, 9:18 AM
I suspect it’s CloudFormation that’s making them. If that’s the came, you can use a separate IAM role for CloudFormation to use.
e
Erik Robertson
12/20/2021, 9:32 AM@Frank Indeed it is CloudFormation. Is the process document for assigning a separate role to CF and using it ? I'm guesing I should manually create a servicerole and assign it to the various SST CF stacks ?
f
Frank
12/21/2021, 8:42 PM
I noticed you are using the
--role-arn