'How to narrow down scope of AWS Kinesis cross account role
So we create AWS kinesis in account A and create the role with only putRecord permission and then we give the role to account B where their lambda assumes the role and accordingly sends the data in.
But the problem here is the trust policy which is having root access and anyone in account B can assume the role and start pushing data
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Can we reduce the scope to Account B particular service (lambda function) and no other should service should push data?
amazon-web-servicesSources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|