search

aws-samples / aws-iam-identity-center-extensions

This solution is intended for enterprises that need a streamlined way of managing user access to their AWS accounts. Using this solution, your identity and access management teams can extend AWS SSO functionality by automating common access management and governance use cases
MIT License
65 stars 24 forks source link

Permission set schema doesn't handle NotAction and NotResource #86

Closed allquixotic closed 2 years ago

allquixotic commented 2 years ago

When I upload this permission set to S3 as "permission_sets/Foo.json", I receive an email from SNS.

First, here's the permission set (and yes, the total character length is well below 10240 characters):

{
    "permissionSetName": "Foo",
    "sessionDurationInMinutes": 720,
    "managedPoliciesArnList": [
        "arn:aws:iam::aws:policy/AdministratorAccess",
        "arn:aws:iam::aws:policy/AWSSupportAccess"
    ],
    "inlinePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Resource": "*",
                "Effect": "Deny",
                "NotAction": [
                    "s3:*",
                    "ec2:*",
                    "ec2-reports:*",
                    "iam:*", #About 50 more whitelisted services here
                ]
            },
            {
                "Condition": {
                    "StringNotLike": {
                        "aws:RequestedRegion": "us-east-1"
                    }
                },
                "Action": "*",
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": [
                    "s3:PutAccountPublicAccessBlock",
                    "s3:PutBucketAcl"
                ],
                "Effect": "Deny",
                "NotResource": [
                    "arn:aws:s3:::bucket1",
                    "arn:aws:s3:::bucket2"
                ]
            }
        ]
    },
    "relayState": "https://us-east-1.console.aws.amazon.com/console/home?region=us-east-1#",
    "tags": [
        {
            "Key": "versionid",
            "Value": "01"
        }
    ]
}

The errors:

[
    {
        "errorCode": "type",
        "message": "must be string"
    },
    {
        "errorCode": "required",
        "message": "must have required property 'Action'"
    },
    {
        "errorCode": "additionalProperties",
        "message": "must NOT have additional properties"
    },
    {
        "errorCode": "anyOf",
        "message": "must match a schema in anyOf"
    },
    {
        "errorCode": "type",
        "message": "must be array"
    },
    {
        "errorCode": "anyOf",
        "message": "must match a schema in anyOf"
    },
    {
        "errorCode": "required",
        "message": "must have required property 'Resource'"
    },
    {
        "errorCode": "additionalProperties",
        "message": "must NOT have additional properties"
    },
    {
        "errorCode": "anyOf",
        "message": "must match a schema in anyOf"
    }
]

When I manually submit the inline policy to the AWS SSO console, it works, so this is a limitation of SSO Extensions. Seems really restrictive not to permit NotAction, NotResource!

allquixotic commented 2 years ago

Looks like, per https://github.com/aws-samples/aws-sso-extensions-for-enterprise/blob/main/lib/payload-schema-definitions/PermissionSet-createUpdateS3.json

Not allowing NotAction and NotResource is a showstopper here though.

leelalagudu commented 2 years ago

@allquixotic , agree 100% on this. I was being a bit too careful with the schema validation here. Will fix the schema definitions to align with what SSO admin API allows.

leelalagudu commented 2 years ago

@allquixotic , the solution through #89 now aligns completely with the permission set schema supported by AWS SSO except for sessionDurationinMinutes still requiring to be a string and not a number.

Do let us know if this fixed the issues you are seeing, Leela

allquixotic commented 2 years ago

One additional problem I'm hitting is that inlinePolicyDocument is required, but specifying it as just {} (an empty JSON object) fails schema validation because it doesn't have a statement, etc. It also doesn't appear to like a Statement: [] with zero entries.

So what if I want to create a permission set that only has managed AWS policies, and no custom inline policy document?

leelalagudu commented 2 years ago

@allquixotic , with the updated schema validation for permission sets (s3/api interface) in #89 , this issue would be resovled as well. I just validated creating Security-Auditor PS from the samples using S3 interface and #89 and can confirm that the permission set has been successfully created.

To conclude, the scenario you require should work once v3.1.5 is merged, do let us know if you see any issues with the use case on v3.1.5.

Thank you, Leela

allquixotic commented 2 years ago

Cool, okay! In that case, I will deploy your branch and test it out to see if this does work. Thank you.