Open fwesselhoft opened 5 years ago
@fwesselhoft at first glance, this seems like a bug to me. Even if a specific resource is selected, the IAM User still has the "s3:DeleteBucket" action which should match despite the resource being "arn::12345" instead of "*"
I saw you posted directly on the C7N Github which is a great place to start. https://github.com/cloud-custodian/cloud-custodian/issues/3383
We don't have local IAM users but I can try and replicate in my personal environment and post results when I have a chance.
Thank you very much @byronenos2 !! I also thought this was either some kind of glitch/bug, or the functionality is just not all in there as I would have expected to see the iam-users that had the "s3:DeleteBucket" action allowed for specific bucket ARNs and not just for * all.
That would be great if you can try to replicate this, thank you SO VERY much. I will also keep on playing with this and will reply to this thread if I find a better way to get this working. Have a great day and thank you again!
Thank you for sharing those policies, very helpful. I have been playing with the check-permissions filter within the iam-user resource, trying to list a map the following: iam account --> ALlowed Actions --> Resources, but I'm stuck, and wondering if you could point me to the correct direction.
The current policy, when run, outputs a resource.yml file that contains the IAM accounts that are allowed to perform a s3:DeleteBucket action against all resources (*), but misses to list accounts that have the s3:DeleteBucket action allowed against specific resources only.
policies:
Am I missing something or the functionality is not there yet? Thank you very much for the help, and I apologize before hand if I posted this in the wrong place, I'm very new to github.