You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IAM Roles created by CloudFormation should be bound by resource or conditional statements.
Actual Behavior
StackSet creates an IAM role (DatadogStreamStackSetExecutionRole) which grants it unrestricted access to assume any role within the AWS account (essentially granting administrator privileges, and making all of the other IAM grants irrelevant):
Please update this template to add a condition to the CloudFormation so that the StackSet can only assume the specific roles it needs to perform the updates required.
Steps to Reproduce the Problem
Implement AWS monitoring via CloudFormation Stackset
Specifications
Datadog CloudFormation template version:
Stacktrace
Paste here
The text was updated successfully, but these errors were encountered:
Expected Behavior
IAM Roles created by CloudFormation should be bound by resource or conditional statements.
Actual Behavior
StackSet creates an IAM role (DatadogStreamStackSetExecutionRole) which grants it unrestricted access to assume any role within the AWS account (essentially granting administrator privileges, and making all of the other IAM grants irrelevant):
cloudformation-template/aws_streams/streams_main.yaml
Lines 100 to 104 in 8cd365f
Please update this template to add a condition to the CloudFormation so that the StackSet can only assume the specific roles it needs to perform the updates required.
Steps to Reproduce the Problem
Specifications
Stacktrace
The text was updated successfully, but these errors were encountered: