Ask HN: Why do you trust vendors with the ReadOnlyAccess policy?

3 points by dqh ↗ HN
In the process of trying to find a managed SIEM service provider, I have found big name vendors asking for excessive AWS permissions. One vendor asked me to install a CloudFormation template granting them the ability to assume any role in our account(i.e. admin access). I was the first person to audit and challenge this. Two subsequent vendors have asked for the ReadOnlyAccess policy to be applied to an IAM user they can access. This would give them access to all S3 objects in any bucket, potentially sensitive CloudFormation stack outputs, and many other things they don't need. I was again the first person to audit and challenge this according to both these vendors.

In all cases my request for a supported and documented list of required permissions has been met with something along the lines of "Well we are vendor X, we are super secure, we'd never get hacked, no one else has asked for this".

Given that the 3 vendors i've spoken to so far all reacted this way, I can only conclude that everyone is simply granting them more access than is needed. My question is, why?

Edit: I just noticed that I copy pasted the S3 read only policy name instead of the global ReadOnlyAccess policy covering all services.

0 comments

[ 1.8 ms ] story [ 9.7 ms ] thread

No comments yet.