.. | ||
__init__.py | ||
acm_pca.py | ||
cloudwatch_logs.py | ||
common.py | ||
ecr.py | ||
efs.py | ||
elasticsearch.py | ||
glacier_vault.py | ||
iam.py | ||
kms.py | ||
lambda_function.py | ||
lambda_layer.py | ||
README.md | ||
s3.py | ||
secrets_manager.py | ||
ses.py | ||
sns.py | ||
sqs.py |
Resources that can be made public through resource policies
Supported
CloudWatch Logs
Actions:
- logs put-resource-policy
ECR Repository
Actions:
EFS
TODO: Need to confirm this can actually be shared with other accounts. Some of the doc wording leads me to think this might only be shareable to principals within an account.
Actions:
ElasticSearch
Actions:
Glacier
Actions:
- glacier set-vault-access-policy
Lambda
Allows invoking the function
Actions:
- lambda add-permission
Lambda layer
Actions:
- lambda add-layer-version-permission
IAM Role
Actions:
- iam create-role
- iam update-assume-role-policy
KMS Keys
Actions:
- kms create-key
- kms create-grant
- kms put-key-policy
S3
S3 buckets can be public via policies and ACL. ACLs can be set at bucket or object creation.
Actions:
- s3api create-bucket
- s3api put-bucket-policy
- s3api put-bucket-acl
Secrets Managers
Actions:
- secretsmanager put-resource-policy
SNS
Actions:
- sns create-topic
- sns add-permission
SQS
Actions:
- sqs create-queue
- sqs add-permission
SES
Actions:
Not Supported
Backup
Actions:
CloudWatch Logs (Destination Policies)
EventBridge
Only allows sending data into an account
Actions:
- events put-permission
Glue
Actions:
- glue put-resource-policy
MediaStore
Actions:
- mediastore put-container-policy
Serverless Application Repository
Actions:
- serverlessrepo put-application-policy
S3 Objects
S3 objects can be public via ACL. ACLs can be set at bucket or object creation.
- s3api put-object
- s3api put-object-acl