-
Notifications
You must be signed in to change notification settings - Fork 48
Open
Description
Expected Behavior
IAM Roles created by CloudFormation should be bound by resource or conditional statements.
Actual Behavior
StackSet creates an IAM role (DatadogStreamStackSetExecutionRole) which grants it unrestricted access to assume any role within the AWS account (essentially granting administrator privileges, and making all of the other IAM grants irrelevant):
cloudformation-template/aws_streams/streams_main.yaml
Lines 100 to 104 in 8cd365f
| - Effect: Allow | |
| Action: | |
| - iam:GetRole | |
| - iam:PassRole | |
| Resource: "*" |
Please update this template to add a condition to the CloudFormation so that the StackSet can only assume the specific roles it needs to perform the updates required.
Steps to Reproduce the Problem
- Implement AWS monitoring via CloudFormation Stackset
Specifications
- Datadog CloudFormation template version:
Stacktrace
Paste here
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels