Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write up a list of missing IAM features #2

Closed
dnmfarrell opened this issue Sep 24, 2024 · 2 comments
Closed

Write up a list of missing IAM features #2

dnmfarrell opened this issue Sep 24, 2024 · 2 comments
Assignees
@dnmfarrell
Labels
good first issue Good for newcomers

Comments

@dnmfarrell
Copy link
Owner

Compare iamsim to the
IAM SimulateCustomPolicy API features.
@dnmfarrell dnmfarrell added the good first issue Good for newcomers label Sep 24, 2024
@dnmfarrell
Copy link
Owner Author

dnmfarrell commented Oct 2, 2024
edited
Loading

SimulateCustomPolicy supports:

  • []ActionNames - eval permissions for these actions, no wildcards
  • CallerArn - used by ResourcePolicy Principal, must be IAM user, not role etc.
  • []ContextEntries - optional request context vars can be used by policy conditions
  • []PermissionsBoundaryPolicyInputList - sets the permissions boundary for the simulation (is a list but only accepts one policy?).
  • []PolicyInputList - list of identity policies
  • []ResourceArns - list of resources to include in the simulation, defaults to *.
  • ResourceHandlingOption - ec2 permission scenarios to run, e.g. EC2-VPC-EBS requires instance, image, security group, network interface and subnet resources to be specified.
  • ResourceOwner - ARN of AWS account ID that owns all resources that do not identity their owner in their resource ARN. Defaults to CallerArn. Used for resource policy eval.
  • ResourcePolicy - resource policy to include in the simulation.

Returns a list of evaluation results which mention SCP, even though that is not a parameter - perhaps if the CallerARN is a real IAM user and it's organization has an SCP, it will be automatically applied?

In any case:

  • Context Entries is a neat way to provide additional info that can be used by the simulation.
  • Context keys can be included in policy strings, need to be able to parse these to eval context entries. IAM context keys.
  • Conditions enable run-time logic.
  • Resource policies are limited by SCP, but not boundary policies. So we need resource and SCP types to apply the different logic.
  • A list of action names can be tested for set intersection with the response from all/2.
  • Caller ARN (and ARN syntax checking) would be useful.
  • Resource ARNs is kind of weird, since they all have to have the same resource policy. Probably more useful to reduce round trips on network requests? Unless:
  • Resource Handling Option - the scenario determines the required resources (do the resources have to be in resource arns?). This seems useful. Wonder if other scenarios could be added.
  • ResourceOwner - needed to evaluate policies (if the resource owner <> caller arn ...)
  • NotPrincipal, NotAction, NotResource are kind of head-spinning and therefore useful to support to catch unintended changes.

@dnmfarrell dnmfarrell self-assigned this Oct 17, 2024
@dnmfarrell
Copy link
Owner Author

dnmfarrell commented Oct 19, 2024
edited
Loading

Need tickets for the following features:

@dnmfarrell dnmfarrell mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnmfarrell dnmfarrell

Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dnmfarrell