Skip to content

SAM template policies should allow kinesis:DescribeStreamSummary #1251

@michaeljfazio

Description

@michaeljfazio

Description:

Kinesis policy templates that allow action "kinesis:DescribeStream" should also allow "kinesis:DescribeStreamSummary". The "Describe Stream Summary" API call exposes a subset of the information that the "Describe Stream" API call does. So, from a security standpoint there is no reason not to allow it. I came across this issue when attempting to calculate the maximum throughput of a stream before invoking it so that a reasonable backoff time can be applied to kinesis batch write calls. The reason to use Describe Stream Summary is that it provides the total shard count as a numeric value where as Describe Stream requires counting to Shard records one-by-one.

Steps to reproduce the issue:

  1. Create lambda using SAM template with either KinesisCrudPolicy or KinesisStreamReadPolicy
  2. Configure the lambda to invoke the kinesis get stream summary API endpoint
  3. Invoke the lambda

Observed result:

An access denied exception is thrown.

Expected result:

Access to this API call should NOT be denied (i.e. allow kinesis:DescribeStreamSummary).

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions