Comments (3)
Hey @fade2black thanks for raising the issue.
The role is created for the pipeline to deploy resources of your application through CloudFormation. As the pipeline does not have any knowledge about your application (e.g. what resources will be created/updated), the role gives CloudFormation full access. In other words, it ensures CloudFormation to be able to deploy any change from your application template.
The risk thus lies in the application template - if an attacker adds a malicious resource in your application template (e.g. an IAM Role with admin access), the piepline will deploy it. Mitigation of this risk is to make sure only authorized persons can commit to your application template, and have a thorough review process before any change can be merged.
Alternatively, you can create your own CloudFormation Execution Role with limited scope for your application and supply that role when you create your pipeline.
Please let me know if you have any further question.
from aws-sam-cli.
@hawflau Clear now. Thank you for reply.
from aws-sam-cli.
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
from aws-sam-cli.
Related Issues (20)
- API CORS HOT 4
- Bug: High init duration when deployed through SAM. HOT 3
- Feature request: Allow makefile BuildMethod to use Amazon Linux 2 based build image HOT 2
- Need help with Error: No images found to deploy, try running sam build HOT 4
- Bug: Breaking change on sam 1.110 with NodeJs14 HOT 3
- Sam build duplicates dependency packages even if they share the same manifest HOT 2
- Bug: Error: .NET binaries for Lambda function are not correctly installed HOT 4
- Feature request: Add changeset arns/ids to `sam list` HOT 1
- Bug: sam build - TypeError HOT 4
- Bug: FileNotFoundError on "sam build --use-container" HOT 2
- Bug: TITLE HOT 2
- Feature request: TITLE HOT 3
- Sam Build fails when publishing against dotnet8 runtime HOT 2
- Bug: sam local start-api - KeyError: 'content-type' (WebAdapter + Nextjs) HOT 2
- Sam build failed when trying to create a S3 Express One Zone bucket HOT 6
- Bug: sam build --use-container fails to install llama-cpp-python on python 3.10 and above
- Bug: Layers fail to deploy correctly HOT 2
- Bug: Updating the CloudFormation stack via "sam deploy" gives an error "Update of resource type is not permitted" HOT 2
- Bug: sam build - TypeError HOT 5
- Bug: sam validate not support dotnet8 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-sam-cli.