Comment 3 for bug 1256049
Revision history for this message
| Steve Baker (steve-stevebaker) wrote Re: CFN policy rules not all enforced | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
+2 for this patch.
A couple of points to help evaluate the security implications of this:
* in-instance users are created by the use who originally created the stack
* an in-instance user can only call CreateStack and UpdateStack if the ec2 keypair for that user is known
* practically speaking, this can probably only be exploited if a stack-launched nova server is compromised, or if the heat->server communication containing the ec2 keypair is intercepted.