|
|
|
|
|
|
by posnet
3377 days ago
|
|
|
It almost always comes down to complexity. The inclusion of boolean logic in the policies is the root cause. Specifically, having not resources, or not principals and their interaction with the other policies in the account. The second highest common cause is misunderstanding how the default deny works. Again, not really an issue with the landon project, but more an observation on how added power (complexity) to access control systems can sometimes make things less secure. |
|
|
This policy looks reasonable to a casual observer, but actually gives * access to everything in the account. IAM policies are _hard_.