amazon web services - Is CDK's auto-generated AssumeRolePolicy sufficient, or should I specify a condition for specific

I've been working with CDK for a bit, and haven't had any reason to modify any of the default roles/policies that are auto-generated when I create resources like lambdas or step functions. However, I also know that from a security perspective, its best practice to be as restrictive as possible for policies and permissions.

This made my wonder whether I should specify a condition in my assumeRolePolicies to only allow specific resources to assume that role. For eg, after my cdk code gets converted into yaml, is this sufficiently secure?

AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - lambda.amazonaws
        Action:
          - 'sts:AssumeRole'

Or would it be best practice to add a condition if I'm sure that I only want this role to be assumed by one resource, like so:

AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - lambda.amazonaws
        Action:
          - 'sts:AssumeRole'
        Condition:
          ArnLike:
            aws:SourceArn: myLambdaArn

And if I should add the condition, is there an easy way to do it in CDK without having to replace the resource's role.assumeRolePolicy entirely?

科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

amazon web services - Is CDK's auto-generated AssumeRolePolicy sufficient, or should I specify a condition for specific

与本文相关的文章

评论列表(0)