-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Description
Description:
Kinesis policy templates that allow action "kinesis:DescribeStream" should also allow "kinesis:DescribeStreamSummary". The "Describe Stream Summary" API call exposes a subset of the information that the "Describe Stream" API call does. So, from a security standpoint there is no reason not to allow it. I came across this issue when attempting to calculate the maximum throughput of a stream before invoking it so that a reasonable backoff time can be applied to kinesis batch write calls. The reason to use Describe Stream Summary is that it provides the total shard count as a numeric value where as Describe Stream requires counting to Shard records one-by-one.
Steps to reproduce the issue:
- Create lambda using SAM template with either KinesisCrudPolicy or KinesisStreamReadPolicy
- Configure the lambda to invoke the kinesis get stream summary API endpoint
- Invoke the lambda
Observed result:
An access denied exception is thrown.
Expected result:
Access to this API call should NOT be denied (i.e. allow kinesis:DescribeStreamSummary).