search

duo-labs / cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
BSD 3-Clause "New" or "Revised" License
887 stars 111 forks source link

Add Support For "NotAction" IAM Policy Clause #76

Open bc-jcarlson opened 4 years ago

bc-jcarlson commented 4 years ago

It appears that cloudtracker doesn't enumerate the full list of granted permissions for both users and roles that utilize the "NotAction" clause.

Example IAM Policy:

        {
            "Sid": "AllowAllOperationsExceptIamAndCloudTrail",
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "cloudtrail:*"
            ]
        },

Cloudtracker output for this role shows only the permissions granted by other policies that use the "Action" clause, with a large number of services noting the "+" designation that were used via this policy.

This issue can lead to inaccurate results and missed permissions when using the tool.