Skip to content

[codex] Add denied PassRole Lambda live validation design#16

Merged
InfoSecHack merged 1 commit into
mainfrom
docs/passrole-lambda-denied-live-design
Jun 3, 2026
Merged

[codex] Add denied PassRole Lambda live validation design#16
InfoSecHack merged 1 commit into
mainfrom
docs/passrole-lambda-denied-live-design

Conversation

@InfoSecHack
Copy link
Copy Markdown
Owner

@InfoSecHack InfoSecHack commented Jun 3, 2026

Summary

  • add a docs-only design for one denied controlled PassRole-to-Lambda live validation case
  • select the denied condition: source can call Lambda CreateFunction but lacks iam:PassRole to the selected execution role
  • document expected live access_denied, function_created=false, cleanup_status=not_needed, and current local IAMScope no-selected-finding expectation

Boundaries

  • docs/design only
  • no live AWS, Terraform, AWS CLI, STS, Lambda API, or iam:PassRole calls
  • no runner, reasoner, benchmark semantic, or public claim changes

Validation

  • targeted grep for denied/live/local-expectation wording
  • ./scripts/check.sh
  • ./scripts/test_fast.sh
  • git diff --check

@InfoSecHack InfoSecHack marked this pull request as ready for review June 3, 2026 01:12
@InfoSecHack InfoSecHack merged commit 383e60a into main Jun 3, 2026
6 checks passed
@InfoSecHack InfoSecHack deleted the docs/passrole-lambda-denied-live-design branch June 3, 2026 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@InfoSecHack