This tool does not handle wildcards in IAM policy actions properly, because it only does literal string matches. For example, the PrivilegeEscalation class will not detect any issue if my policy grants "iam:Create*". All the IAM policy checking logic needs to be rewritten to treat wildcards as actual wildcards (perhaps via regex) instead of only doing literal string matches.
This tool does not handle wildcards in IAM policy actions properly, because it only does literal string matches. For example, the
PrivilegeEscalation
class will not detect any issue if my policy grants"iam:Create*"
. All the IAM policy checking logic needs to be rewritten to treat wildcards as actual wildcards (perhaps via regex) instead of only doing literal string matches.