Comments (3)
Hey @fade2black thanks for raising the issue.
The role is created for the pipeline to deploy resources of your application through CloudFormation. As the pipeline does not have any knowledge about your application (e.g. what resources will be created/updated), the role gives CloudFormation full access. In other words, it ensures CloudFormation to be able to deploy any change from your application template.
The risk thus lies in the application template - if an attacker adds a malicious resource in your application template (e.g. an IAM Role with admin access), the piepline will deploy it. Mitigation of this risk is to make sure only authorized persons can commit to your application template, and have a thorough review process before any change can be merged.
Alternatively, you can create your own CloudFormation Execution Role with limited scope for your application and supply that role when you create your pipeline.
Please let me know if you have any further question.
from aws-sam-cli.
@hawflau Clear now. Thank you for reply.
from aws-sam-cli.
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
from aws-sam-cli.
Related Issues (20)
- `sam init` fails to deploy a standard sample on Windows platform HOT 3
- Bug: sam local start-api not working in a docker-out-of-docker setup, due to an empty /var/task directory. HOT 3
- Bug: TITLE"Invalid API identifier specified" when attaching resources to an existing AWS::ApiGatewayV2::Api HOT 2
- Bug: sam build - UnsupportedBuilderException HOT 3
- SAM build crashes using terraform HOT 9
- Bug: sam local start-api - AttributeError HOT 9
- SAM local invocation with CDK generated template with typescript not able to find module index (index.mjs) HOT 5
- How to add tags with sam deploy HOT 12
- Bug: Got issue when using 1.116.0_1 for deployment HOT 2
- Bug: [WinError 3] The system cannot find the path specified HOT 4
- Feature request: Deploy Lambdas with concurrency HOT 3
- Bug: sam sync with python causes endless cpu saturation HOT 11
- Bug: sam build - EmptyKeyError HOT 1
- Bug: Unable to run sam local invoke on Apple Silicon HOT 14
- Cannot sam local start-api without specifying an image HOT 1
- Bug: sam local start-api - ReadTimeout HOT 3
- Bug: "Timed out while attempting to establish a connection to the container" error after fresh install of Docker and AWS SAM HOT 5
- Bug: sam build - JSONDecodeError HOT 1
- Bug: No new Lambda Versions are deployed with Lambda configurations changes HOT 2
- Bug: Change Parameter's Default value doesn't reflect HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-sam-cli.