search

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
5.96k stars 800 forks source link

Fix access_check for S3 bucket regex #699

Closed 0xdabbad00 closed 4 years ago

0xdabbad00 commented 4 years ago

If you have a company with S3 buckets:

And then you have an IAM user Bob with S3 access to arn:aws:s3:::widgets.*.data/* and then you run:

python cloudmapper.py access_check --account prod --resource_arn arn:aws:s3:::widtgets.backups/* --privilege s3:getobject

This will show Bob has access to the widgets.backups bucket, because technically, there could be an object named widtgets.backup/foo.data/bar. Although what I do is technically correct, for my current use case at least, it is giving me results I don't want.

0xdabbad00 commented 4 years ago

Never mind, I realized that since I want to know if an arbitrary file could be accessed, I could specify an arbitrary file of arn:aws:s3:::widtgets.backups/test instead of arn:aws:s3:::widtgets.backups/*.