Dmytro Sonko
Dmytro Sonko
I propose do not trigger the check for AWS services: Lambda, API gateway, EC2, Backup, Glue On Thu, Sep 7, 2023 at 10:33 AM Nacho Rivera ***@***.***> wrote: > @D592...
OK it's correct for **non-service-linked** roles but the role with trust police like below is **service role** - however aws:SourceArn and aws:SourceAccount condition do not make sense here. The same...
OK - my point is true for trust entities of the **service** roles According for AWS Support: There is no public documentation which lists all the services which supports the...
       ========== References : ========== [1] https://docs.aws.amazon.com/sagemaker/latest/dg/security-confused-deputy-prevention.html [2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/service-role.html#custom-role [3] https://docs.aws.amazon.com/machine-learning/latest/dg/redshift-parameters.html [4] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html [5] https://repost.aws/knowledge-center/iam-role-chaining-limit
Despite the fact that it is stated that the Lambda service doesn't support aws:SourceAccount and aws:SourceArn condition keys, I have tested the policy, which works." { "Version": "2012-10-17", "Statement": [...
I would say that there is a certain logic in such access settings behavior. A role is generated that defines the lambda execution parameters. Changes to network settings are not...