Replies: 2 comments 3 replies
-
|
Cdknag is always complaining about this. I definitely agree with the approach here. We need to be building with least privilege in mind by default! 🚀🥳🚀 |
Beta Was this translation helpful? Give feedback.
-
|
In the AWS Solutions nag pack,
Since AWS managed policies are used in many L2/3 constructs (example), I end up adding dozens of suppressions for |
Beta Was this translation helpful? Give feedback.
-
|
Same over here. I would love to stop having to code the suppressions into every single one of my projects |
Beta Was this translation helpful? Give feedback.
-
|
I do want to make to note that cdk-nag isn't part of the CDK or maintained by the CDK team. I think not having to suppress the rule is a side benefit to fixing the actual problem |
Beta Was this translation helpful? Give feedback.
-
|
Right. It's definitely a side benefit. But the reason it's part of CDK nag is that it has a security smell. I definitely think that whatever our defaults are for using CDK should be at the highest security bar. Secure by default. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I think it would be ultimately beneficial to replace AWS Managed Policies in L2+ constructs with Customer Managed Policies/Inline Policies and would like to hear other people's thoughts on the matter
Background
I've had many cases where I've been asked to remove AWS Managed Policies from L2+ constructs. While this can be done through Aspects and Overrides this is both tedious and not friendly.
Rationale
There are 2 main problems using AWS managed policies
Pros
Cons
Beta Was this translation helpful? Give feedback.
All reactions