AWS: Please stop putting random values in names because it is making policies very difficult to write
Names are part of the ARN for a reason — they create a unique but predictable way to identify a resource in a policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I’ve started to notice that AWS is deviating from longtime practices that made it a beautifully engineered platform.
New engineers come on board I guess and think wouldn’t it be neat if we…
And they want to make some change because it’s easier or they think it’s more user friendly but they don’t understand the security implications of those changes.
This is where losing the old guard hurts a company — the people who originally designed the system and understand why it is the way it is and why the patters and architectures exist.
I’ve already had problems creating policies for AWS SSM parameters and secrets with random values in the ARN but at least they had a name in there.
Now I’ve noticed that Service Control Policies have completely random values in the name, making it difficult to restrict access to change a particular policy.
I also noticed some random numbers on something in IAM for Lambda — I don’t recall whether it was a role or a policy — but please stop doing this.
The resource have a unique name for a reason — for the same reason that usernames are unique. So you can identify a single user or resource.
And the name is in the resource so you can create consistent policies based on that username — even before the resource is created. You can’t do that with a random number generated after the resource is created because you don’t know what it will be.
And you really can’t create policies based on ARNs if the IDs random change every time you deploy a new version.
Please stop making ARNs random and use the naming convention that was established for AWS a long time ago. It is the way it is for a reason.
Thank you. 🙏
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab