Least Privilege

[tom-huguenard]

Since every demo eventually becomes production code, may I suggest/request that your demo demonstrate the practice of least privilege?

In particular, I would love for you to provide a "Least Privilege Stack" that creates the IAM permissions sufficient to building and deploying the sam-app stack.

It would be sufficient, I suppose, to provide a list of those least privilege access rights so the user can then create them.

[jplock]

The Lambda functions are using scoped down roles and the Amplify role is only used for deployment. Is there another area you’d like to see least privileged followed?

[tom-huguenard]

Thanks for asking.

Try running the SAM deploy with an assumed role with no privileges. You will gradually discover all the missing privileges. When you fix all the missing privileges with least-privilege, you will have a policy document you can share with this project that a naive user can attach to his or her assumed role.

This is the process the naive user needs to undergo to make this demo successfully deploy. However, the naive user may be unaware of least-privilege, or may simply not have the time to scope down roles. The naive user will do things like give the assumed role much broader permissions.

Some of these quick starts suggest the work be undertaken in an "admin" account. Which is the ultimate in ignoring least-privilege.

I'd like for you to take on the responsibility of guiding the naive user to

1. use an assumed role for CLI
   (I am attaching ar.py that I use to assume a role)
   [ar.py.txt](https://github.com/aws-samples/aws-plaid-demo-app/files/14001519/ar.py.txt
2. Assign least privileges to that role
3. Be able to successfully run the SAM deploy out of the box.

Thanks for listening.