Open psantus opened 4 months ago
IAM evaluation relies on aws iam simulate-principal-policy but I have noticed that this can give surprising/false results.
aws iam simulate-principal-policy
For instance I'm using a role with AdministratorAccess managed policy attached to it, and the simulator returns implicitDeny!!
> aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::<redacted>:role/<redacted> --action-names ecs:ExecuteCommand --resource-arns arn:aws:ecs:eu-west-3:<redacted>:task/<redacted> --profile <redacted> { "EvaluationResults": [ { "EvalActionName": "ecs:ExecuteCommand", "EvalResourceName": "arn:aws:ecs:eu-west-3:<redacted>:task/<redacted>", "EvalDecision": "implicitDeny", "MatchedStatements": [], "MissingContextValues": [], "OrganizationsDecisionDetail": { "AllowedByOrganizations": false } } ] }
IAM evaluation relies on
aws iam simulate-principal-policybut I have noticed that this can give surprising/false results.For instance I'm using a role with AdministratorAccess managed policy attached to it, and the simulator returns implicitDeny!!