IAM Policy Updates #516
Open
IAM Policy Updates #516
Commits on Jul 11, 2023
-
Remove StateBucketPolicy. This policy does not have any effect becaus…
…e it grants permission to account bucket is owned by. Access to this bucket is actually managed via identity policies.
-
Perform "aws:SourceArn" condition checks on OrgBuildRole and OrgPipel…
…ineEventRuleRole trust policies to mitigate confused deputy attacks. Note: CodePipeline does not support "aws:SourceArn" condition as of this time.
-
OrgBuildRole needs following permissions to function without Administ…
…ratorAccess policy: - ec2:DescribeRegions - assume role "OrganizationFormationBuildAccessRole" in all organization accounts
-
OrgBuildRole needs permission to post events when it updates organiza…
…tion e.g.: removes SCP
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.