Heads up, you forgot to handle confused deputy in your IAM Role policy: (In 'Con... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

wizwit999 on Oct 25, 2022 | parent | context | favorite | on: Launch HN: Paigo (YC S22) – Measure and bill SaaS ...

Heads up, you forgot to handle confused deputy in your IAM Role policy: (In 'Configuring IAM role' at https://docs.paigo.tech/ can't link to a page), which means anyone can pass a role (e.g. for another user) and you'll assume it.

Check out https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-de... for how to handle it. You need to require and use an 'ExternalId'.

twosdai on Oct 25, 2022 [–]

Drat, We even have the option in the API to pass it in and use it. Just didnt get propigated everywhere else.

Thanks for that callout, I'll update everything ASAP.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact