From 244a3452a868732a4ac22db74675161e7de7ef48 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Mon, 10 Jun 2019 13:16:20 +0200 Subject: [PATCH] fix(sqs): remove 'Batch' permissions Batch permissions are automatically implied when given regular API call permissions. For example, giving IAM permissions to `sqs:SendMessage` gives permission to call both `SendMessage` and `SendMessageBatch`. Fixes #2381. --- .../test/sqs/integ.sqs-event-rule-target.expected.json | 3 +-- .../@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts | 3 --- .../test/integ.sqs.expected.json | 2 -- .../@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts | 2 -- .../@aws-cdk/aws-s3-notifications/test/queue.test.ts | 1 - .../test/sqs/integ.bucket-notifications.expected.json | 5 +---- packages/@aws-cdk/aws-sqs/lib/queue-base.ts | 9 --------- packages/@aws-cdk/aws-sqs/test/test.sqs.ts | 4 ---- 8 files changed, 2 insertions(+), 27 deletions(-) diff --git a/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json b/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json index cf16e28d07764..a2c84aa56a819 100644 --- a/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json +++ b/packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json @@ -29,7 +29,6 @@ { "Action": [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -75,4 +74,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts b/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts index 24236fa910ef8..5d109a07df444 100644 --- a/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts +++ b/packages/@aws-cdk/aws-events-targets/test/sqs/sqs.test.ts @@ -22,7 +22,6 @@ test('sns topic as an event rule target', () => { { Action: [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -86,7 +85,6 @@ test('multiple uses of a queue as a target results in multi policy statement bec { Action: [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -112,7 +110,6 @@ test('multiple uses of a queue as a target results in multi policy statement bec { Action: [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json index 53cbc327dc4ad..3870ec4882b60 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.sqs.expected.json @@ -50,10 +50,8 @@ "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", "sqs:GetQueueUrl", "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes" ], "Effect": "Allow", diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts index 2fffbf66ea9e0..b93568fa28d24 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/test.sqs.ts @@ -25,10 +25,8 @@ export = { "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", "sqs:GetQueueUrl", "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes" ], "Effect": "Allow", diff --git a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts index 1728deaa5b905..977cc00c5f7fb 100644 --- a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts +++ b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts @@ -19,7 +19,6 @@ test('queues can be used as destinations', () => { { Action: [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], diff --git a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json index 6b039f58ba7d5..4e2224aa5b8cc 100644 --- a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json +++ b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json @@ -61,7 +61,6 @@ { "Action": [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -99,7 +98,6 @@ { "Action": [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -390,7 +388,6 @@ { "Action": [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], @@ -436,4 +433,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-sqs/lib/queue-base.ts b/packages/@aws-cdk/aws-sqs/lib/queue-base.ts index 658096d8a6a27..1e855d63d5acc 100644 --- a/packages/@aws-cdk/aws-sqs/lib/queue-base.ts +++ b/packages/@aws-cdk/aws-sqs/lib/queue-base.ts @@ -42,10 +42,8 @@ export interface IQueue extends IResource { * This will grant the following permissions: * * - sqs:ChangeMessageVisibility - * - sqs:ChangeMessageVisibilityBatch * - sqs:DeleteMessage * - sqs:ReceiveMessage - * - sqs:DeleteMessageBatch * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * @@ -59,7 +57,6 @@ export interface IQueue extends IResource { * This will grant the following permissions: * * - sqs:SendMessage - * - sqs:SendMessageBatch * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * @@ -147,10 +144,8 @@ export abstract class QueueBase extends Resource implements IQueue { * This will grant the following permissions: * * - sqs:ChangeMessageVisibility - * - sqs:ChangeMessageVisibilityBatch * - sqs:DeleteMessage * - sqs:ReceiveMessage - * - sqs:DeleteMessageBatch * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * @@ -160,10 +155,8 @@ export abstract class QueueBase extends Resource implements IQueue { const ret = this.grant(grantee, 'sqs:ReceiveMessage', 'sqs:ChangeMessageVisibility', - 'sqs:ChangeMessageVisibilityBatch', 'sqs:GetQueueUrl', 'sqs:DeleteMessage', - 'sqs:DeleteMessageBatch', 'sqs:GetQueueAttributes'); if (this.encryptionMasterKey) { @@ -179,7 +172,6 @@ export abstract class QueueBase extends Resource implements IQueue { * This will grant the following permissions: * * - sqs:SendMessage - * - sqs:SendMessageBatch * - sqs:GetQueueAttributes * - sqs:GetQueueUrl * @@ -188,7 +180,6 @@ export abstract class QueueBase extends Resource implements IQueue { public grantSendMessages(grantee: iam.IGrantable) { const ret = this.grant(grantee, 'sqs:SendMessage', - 'sqs:SendMessageBatch', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl'); diff --git a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts index 5d25587b5385e..18c22edfcba05 100644 --- a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts +++ b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts @@ -112,10 +112,8 @@ export = { testGrant((q, p) => q.grantConsumeMessages(p), 'sqs:ReceiveMessage', 'sqs:ChangeMessageVisibility', - 'sqs:ChangeMessageVisibilityBatch', 'sqs:GetQueueUrl', 'sqs:DeleteMessage', - 'sqs:DeleteMessageBatch', 'sqs:GetQueueAttributes', ); test.done(); @@ -124,7 +122,6 @@ export = { 'grantSendMessages'(test: Test) { testGrant((q, p) => q.grantSendMessages(p), 'sqs:SendMessage', - 'sqs:SendMessageBatch', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl', ); @@ -250,7 +247,6 @@ export = { { "Action": [ "sqs:SendMessage", - "sqs:SendMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ],