When trying to create a s3 trigger on an existing bucket, serverless needs to create an IAM role in the background, however there is no way (so it seems) to attach a permission boundary to this new role. Thus how is this useful? My serverless deploy user is ofc restricted by a permission boundary to prevent privilege escalation attacks yet to attach a trigger to an existing bucket requires than my serverless user is allowed to create IAM roles without any boundary?
Related topics
Topic | Replies | Views | Activity | |
---|---|---|---|---|
Permission bounday for internally created resources | 2 | 4165 | August 30, 2020 | |
IAM permissions boundary support | 3 | 5061 | August 30, 2020 | |
Serverless fails to create a S3 trigger for an existing S3 bucket | 3 | 2724 | May 16, 2023 | |
An error occurred: bucket already exists in stack | 2 | 6174 | November 14, 2018 | |
List Permission for non Admin IAM Roles | 1 | 859 | July 30, 2017 |