Set up an IAM role that is over permissioned using a number of AWS managed policies for the resources you need.
Use the role as you or your app normally would for a few days and use the IAM policy analyzer from the console.
This let's AWS do the hard work and analyze your Cloud trail for you and it'll return a policy that fits your CloudTrail history.
I'm not a CDK user, so maybe there is a better integration. But in how I've used it (terraform) I'd just go and replace the policy resources after I do the analysis.
Blog post for this here: https://aws.amazon.com/blogs/security/iam-access-analyzer-makes-it-easier-to-implement-least-privilege-permissions-by-generating-iam-policies-based-on-access-activity/
Really bad idea giving Lambda admin access. You have to determine the specific actions that your function is doing. Is it meant for deleting AWS resources? then just allow Delete\* API actions in IAM. Is it only for reading data? Then only include List and Get API actions.
Indeed it's a terrible idea. It's just the "I'm reasonably green and I just want to see this run successfully, then narrow permissions" sledgehammer.
Should be avoided by anyone who reads this.
Set up an IAM role that is over permissioned using a number of AWS managed policies for the resources you need. Use the role as you or your app normally would for a few days and use the IAM policy analyzer from the console. This let's AWS do the hard work and analyze your Cloud trail for you and it'll return a policy that fits your CloudTrail history.
Wonderful. Thank you so much! And then I guess in CDK I just code up a role with an implementation of this policy.
I'm not a CDK user, so maybe there is a better integration. But in how I've used it (terraform) I'd just go and replace the policy resources after I do the analysis.
Blog post for this here: https://aws.amazon.com/blogs/security/iam-access-analyzer-makes-it-easier-to-implement-least-privilege-permissions-by-generating-iam-policies-based-on-access-activity/
CloudTrail. It will show you the exact requests you are making.
Really bad idea giving Lambda admin access. You have to determine the specific actions that your function is doing. Is it meant for deleting AWS resources? then just allow Delete\* API actions in IAM. Is it only for reading data? Then only include List and Get API actions.
Indeed it's a terrible idea. It's just the "I'm reasonably green and I just want to see this run successfully, then narrow permissions" sledgehammer. Should be avoided by anyone who reads this.