1 Answer
- Newest
- Most votes
- Most comments
3
Though it'd give better clarity if you could add json policy here, but here is what I suspect happening:
DescribeReplicationInstances action does not support resource-level permissions, so you should specify "*" in resources field in IAM your policy attached to this role.
Please see DescribeReplicationInstances in this Documentation. ResourceType column in this table is empty, which means you need to specify "*" in resource section of your IAM policy for this action.
Hope you find this helpful.
Abhishek
Relevant content
- asked 7 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
I will accept this answer, however, we have a checkov scan, set to soft-fail, against "" on a resource. We mitigated that and removed the "" that was put there based along the lines of what you mention above. Thanks for clarification.
Yeah, I completely get that and many organization put similar constraints however there are many such cases in cloudformation itself, which can't be avoided other than putting "*" in resource, if we want to use certain things. One other example that I comes to my mind is ec2:DeleteNetworkInterface.