Names are part of the ARN for a reason: they create a unique but predictable way to identify a resource in a policy.
I began to notice that AWS was departing from long-standing practices that made it a beautifully designed platform.
New engineers are coming on board, I suppose, and I think it wouldn’t be good if we…
And they want to make changes because it’s easier or because they think it’s more user-friendly, but they don’t understand the security implications of those changes.
This is where losing the old guard hurts a business: the people who originally designed the system and understand why it is the way it is and why the patterns and architectures exist.
I already had problems creating policies for AWS SSM settings and secrets with random values in the ARN, but at least they had a name.
I’ve now noticed that Service Control Policies have completely random values in their name, making it difficult to restrict access to modify a particular policy.
I also noticed random numbers on something in IAM for Lambda — I can’t remember if it was a role or a policy — but stop doing that.
The resource has a unique name for a reason: for the same reason that usernames are unique. You can thus identify a single user or a single resource.
And the name is in the resource so you can create consistent policies based on that username, even before the resource is created. You can’t do this with a random number generated after the resource is created, because you don’t know what it will be.
And you really can’t create policies based on ARNs if the identifiers change randomly every time you deploy a new version.
Please stop randomizing ARNs and use the naming convention established for AWS a long time ago. This is so for a reason.
THANKS. 🙏
Follow for updates.
Teri Radichel | © 2nd sight laboratory 2023
The best way to support this blog is to subscribe to the broadcast list And type for the stories you love. If you are interested in IANS Decision Support Services so you can schedule security consulting calls with…