Hello AWS Community,
I am setting up IAM permissions to isolate each developer's stack in my organization. However, shared resources are problematic when it comes to applying the least-privilege access principle.
I want to delegate SES template management to the developers of the team. This means each developer has a CloudFormation stack with email templates and I need to prevent a developer from interacting with templates which he/she does not own.
According to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html , this is impossible. The only possible resource for the action ses:UpdateTemplate is "*" and no condition is supported. This means that an attacker using a developer's credentials could update a template used in production and insert malicious content. This seems like a huge security oversight from Amazon.
Is it not possible to delegate SES template management in a secure way or am I missing something?
Looking forward to your answers,
Thank you!
Edited by: ArielGadboisRoy on Apr 9, 2021 1:11 PM