Expected Behavior
IAM Roles created by CloudFormation should be bound by resource or conditional statements.
Actual Behavior
StackSet creates an IAM role (DatadogStreamStackSetExecutionRole) which grants it unrestricted access to assume any role within the AWS account (essentially granting administrator privileges, and making all of the other IAM grants irrelevant):
|
- Effect: Allow |
|
Action: |
|
- iam:GetRole |
|
- iam:PassRole |
|
Resource: "*" |
Please update this template to add a condition to the CloudFormation so that the StackSet can only assume the specific roles it needs to perform the updates required.
Steps to Reproduce the Problem
- Implement AWS monitoring via CloudFormation Stackset
Specifications
- Datadog CloudFormation template version:
Stacktrace
Expected Behavior
IAM Roles created by CloudFormation should be bound by resource or conditional statements.
Actual Behavior
StackSet creates an IAM role (DatadogStreamStackSetExecutionRole) which grants it unrestricted access to assume any role within the AWS account (essentially granting administrator privileges, and making all of the other IAM grants irrelevant):
cloudformation-template/aws_streams/streams_main.yaml
Lines 100 to 104 in 8cd365f
Please update this template to add a condition to the CloudFormation so that the StackSet can only assume the specific roles it needs to perform the updates required.
Steps to Reproduce the Problem
Specifications
Stacktrace