@@ -38,7 +38,7 @@ Content will be below, but you should copy it to a text editor first, and replac
3838 "dynamodb:Scan"
3939 ],
4040 "Resource": [
41- "arn:aws:dynamodb:*:__ACCOUNT_ID__ :table/alertmanager_alerts"
41+ "arn:aws:dynamodb:*:* :table/alertmanager_alerts"
4242 ]
4343 },
4444 {
@@ -51,7 +51,7 @@ Content will be below, but you should copy it to a text editor first, and replac
5151 "dynamodb:ListStreams"
5252 ],
5353 "Resource": [
54- "arn:aws:dynamodb:*:__ACCOUNT_ID__ :table/alertmanager_alerts/stream/*"
54+ "arn:aws:dynamodb:*:* :table/alertmanager_alerts/stream/*"
5555 ]
5656 },
5757 {
@@ -61,8 +61,8 @@ Content will be below, but you should copy it to a text editor first, and replac
6161 "sns:Publish"
6262 ],
6363 "Resource": [
64- "arn:aws:sns:*:__ACCOUNT_ID__ :AlertManager-alert",
65- "arn:aws:sns:*:__ACCOUNT_ID__ :AlertManager-ingest"
64+ "arn:aws:sns:*:* :AlertManager-alert",
65+ "arn:aws:sns:*:* :AlertManager-ingest"
6666 ]
6767 },
6868 {
@@ -78,3 +78,17 @@ Content will be below, but you should copy it to a text editor first, and replac
7878 ]
7979}
8080```
81+
82+ Are the wildcards safe?
83+ -----------------------
84+
85+ Yes. I used wildcards so you can just copy-paste the policy from above without needing to do region and
86+ account id replacements (the ` *:* ` parts). It is acceptable to have wildcards for:
87+
88+ - Region component: gives additional access only to table with same name (alertmanager_alerts)
89+ in other regions (you won't have same table name in other regions) or SNS topics with same
90+ names in other regions (you won't have same topic names in other regions).
91+ - Account id component: gives AlertManager additional access to resources in other accounts you have access to: ** none** ,
92+ as how could you give yourself access to other accounts' resources?
93+
94+ If you're unsure of this in any capacity, feel free to plug in your region and account IDs in the resource constraints.
0 commit comments