AWS IoT IAM Role Permissions

[benjymoses]

Loving the testing I'm doing so far personally with LLD, but I did notice the IAM role permissions that are added for AWS IoT seem overly permissive.

Is it possible to scope this policy down to the app's needs? One way to implement this easily might be:

1. When creating LLD's IoT resources, tag them
2. Scope the IAM policy to be able to Create specific resource types, and only Update or Delete those specific resources where the tag is present.

I don't know if there are any quirks of how you're using IoT or the resource types you rely on that would make an approach like this impractical, but keen to hear your thoughts.

[benjymoses]

Even scoping down to:

• iot:Connect
• iot:Publish
• iot:Subscribe
• iot:Receive

for now would be better than iot:* while you research it more deeply.

[ServerlessLife]

Hi Ben,

Thank you for your suggestion. Indeed, the policy is too broad.

LLD does not create any resources except for deploying the Lambda Layer. It just adds an inline policy to existing role and attaches the Layer to Lambda. I do not think the tags are needed.

I already prepared the PR, which is basically the policy you suggested. I will let all the CICD tests to run and probably merge and deploy tomorrow. I think narrowing the permissions even further would be hard (not sure if possible), and would not contribute much to security.

As you contributed the new policy, I added you to the list of contributors. Let me know if I should change the name or the link.

Any new suggestions are welcome. 🙌

[ServerlessLife]

🎉 This issue has been resolved in version 1.7.2 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀