There is similar issue with AWS. AWS provides a "ReadOnlyAccess" managed policy ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		coredog64 7 months ago \| parent \| context \| favorite \| on: Azure API vulnerability and roles misconfiguration... There is similar issue with AWS. AWS provides a "ReadOnlyAccess" managed policy that has additional privileges that you probably don't want folks to have (e.g. can read S3 bucket content, not just see bucket names/key names). They recognized this and created a more limited "ViewOnlyAccess" that doesn't have access to content. There's another common fix, which is to apply a permission boundary to IAM roles. This allows the use of generic policies like "ReadOnlyAccess" but can then be further downscoped to resources by tag (or other similar ABAC schemes)

belter 7 months ago [–]

You should not be using any of their managed policies, but creating your own. Using their own managed policies is a strong misunderstanding of how to use IAM.

belter 7 months ago | [–]

Downvoting without discussion? That’s not critique, that’s cowardice. Tell me what is wrong about this factual statement.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact