|
|
|
|
|
|
by owenmarshall
1268 days ago
|
|
|
I think the concern is less technical and more policy. I might be able to sts:AssumeRole to any number of roles created by bad cloud engineers that allowed my account instead of another. But - ignoring that it requires exceptional luck to find the right account/role pair - it takes explicit action on my part to move into their account. At the end of the day, I exchange my credentials for those in another account, and that action is logged in my account, theirs, and with AWS. The concern here is this sharing happens without me doing anything. What happens if I get added to an account whose admin cries foul to Google? Or if their account is flagged for violating GCP terms? Given Google’s history, I’d be worried too. |
|
|