IAM action-specific resources lint #1940
Comments
|
If I'm understandingly this correct. This is valid. Because these actions don't work against resources. {
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling"
],
"Resource": "*"
}This is valid. Because these actions work against resources {
"Effect":"Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:region:account:security-group/*"
}This is invalid. These actions work against resources but the user used a {
"Effect":"Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*"
} |
|
(somewhat related issue: #1117) remember seeing a similar conversation for @omkhegde @iann0036 @0xdabbad00 @phelewski @oscarbc96 anyone have a link / remember where? |
|
In CFRipper, we finally created this list of actions that only accept wildcards. https://github.com/Skyscanner/cfripper/blob/master/cfripper/cloudformation_actions_only_accepts_wildcard.py |
|
Parliament should tell you what actions are resource-less per the SAR (though that does have some missing actions, somewhat captured here. |
|
Another option is to use the Access Analyzer policy validation. That would require AWS credentials, and might run into issues with !Sub and !Ref, but maybe some findings can be ignored if those are present. |
|
Another Python library validating IAM policies in CloudFormation templates: |
IAM actions can either accept a resource to be scoped by, or they should be passed
*(for all resources).It would be nice to have an informational lint rule that would be able to check statements used in IAM resources, and based on the action, decide whether the resource is correct (
*for actions that cannot be scoped, and NOT*for those that can)The text was updated successfully, but these errors were encountered: