12/30/2020, 7:07 AM
Hey guys, I'm trying to forward all my osquery queries running on various endpoints to AWS Kinesis Data Firehose using an IAM role rather than an access key ID. Does anyone know how I can lock down the trust relationship of the role, meaning who can assume this role? This is what I'm seeing and I'd like to avoid using the wildcard (*) as the principal:
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      "Action": "sts:AssumeRole"
I ended up creating an empty IAM user that can assume the role and locking down this policy to allow requests only from that user. Hope this helps!