I've noticed that only AWS Backup has a special ARN pattern arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId} that can math any resources.
I've tweaked it by replacing ${Vendor} with service name (backup for this case).
Test
Test case 1. Single resource, single NotAction
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Resource": [
"arn:aws:lambda:us-west-2:012345678901:function:MyFunctionName*"
],
"NotAction": [
"lambda:Invoke*"
],
"Effect": "Allow"
}
]
}
```
this PR | AWS IAM Policy Creator
---|---
AddPermission | AddPermission
CreateAlias | CreateAlias
CreateFunction | CreateFunction
CreateFunctionUrlConfig | CreateFunctionUrlConfig
DeleteAlias | DeleteAlias
DeleteFunction | DeleteFunction
DeleteFunctionCodeSigningConfig | DeleteFunctionCodeSigningConfig
DeleteFunctionConcurrency | DeleteFunctionConcurrency
DeleteFunctionEventInvokeConfig | DeleteFunctionEventInvokeConfig
DeleteFunctionUrlConfig | DeleteFunctionUrlConfig
❌ missing in data source | DeleteProvisionedConcurrencyConfig
DisableReplication | DisableReplication
EnableReplication | EnableReplication
GetAlias | GetAlias
GetFunction | GetFunction
GetFunctionCodeSigningConfig | GetFunctionCodeSigningConfig
GetFunctionConcurrency | GetFunctionConcurrency
GetFunctionConfiguration | GetFunctionConfiguration
GetFunctionEventInvokeConfig | GetFunctionEventInvokeConfig
GetFunctionUrlConfig | GetFunctionUrlConfig
GetPolicy | GetPolicy
❌ missing in data source | GetProvisionedConcurrencyConfig
GetRuntimeManagementConfig | GetRuntimeManagementConfig
ListAliases | ListAliases
ListFunctionEventInvokeConfigs | ListFunctionEventInvokeConfigs
ListFunctionUrlConfigs | ListFunctionUrlConfigs
ListProvisionedConcurrencyConfigs | ListProvisionedConcurrencyConfigs
ListTags | ListTags
ListVersionsByFunction | ListVersionsByFunction
PublishVersion | PublishVersion
PutFunctionCodeSigningConfig | PutFunctionCodeSigningConfig
PutFunctionConcurrency | PutFunctionConcurrency
PutFunctionEventInvokeConfig | PutFunctionEventInvokeConfig
❌ missing in data source | PutProvisionedConcurrencyConfig
PutRuntimeManagementConfig | PutRuntimeManagementConfig
RemovePermission | RemovePermission
TagResource | TagResource
UntagResource | UntagResource
UpdateAlias | UpdateAlias
UpdateFunctionCode | UpdateFunctionCode
UpdateFunctionCodeSigningConfig | UpdateFunctionCodeSigningConfig
UpdateFunctionConfiguration | UpdateFunctionConfiguration
UpdateFunctionEventInvokeConfig | UpdateFunctionEventInvokeConfig
UpdateFunctionUrlConfig | UpdateFunctionUrlConfig
Test case 2. multiple resources, multiple NotActions
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"s3:Put*",
"s3:*Bucket*",
"s3:*Configuration*",
"s3:Delete*",
"s3:*ACL*",
"s3:*Version*",
"s3:*Replica*"
],
"Resource": [
"arn:aws:s3:::a-service-static",
"arn:aws:s3:::a-service-static/*"
]
}
]
}
```
this PR | AWS IAM Policy Creator
-- | --
s3:AbortMultipartUpload | AbortMultipartUpload
s3:BypassGovernanceRetention | BypassGovernanceRetention
s3:GetObject | GetObject
s3:GetObjectAttributes | GetObjectAttributes
s3:GetObjectLegalHold | GetObjectLegalHold
s3:GetObjectRetention | GetObjectRetention
s3:GetObjectTagging | GetObjectTagging
s3:GetObjectTorrent | GetObjectTorrent
s3:ListMultipartUploadParts | ListMultipartUploadParts
s3:RestoreObject | RestoreObject
ssm:SendCommand 🤔 | -
`ssm:SendCommand` contains `resource_type: bucket` in iam-dataset.
That is the reason `ssm:SendCommand` appears in this PR.
However, I am not sure it is not listed in AWS IAM Policy Creator.
I guess it is a negligible difference.
Not perfect, but better than now.
Closes #4
After this PR,
NotAction
-based IAM actions will be shown if they match any of the givenResource
.Resource matching are calculated from ARN patterns which is created from
resrouces[].arn
in https://github.com/iann0036/iam-dataset/blob/main/aws/iam_definition.json, e.g.:Note
I've noticed that only AWS Backup has a special ARN pattern
arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId}
that can math any resources. I've tweaked it by replacing${Vendor}
with service name (backup
for this case).Test
Test case 1. Single resource, single NotAction
```json { "Version": "2012-10-17", "Statement": [ { "Resource": [ "arn:aws:lambda:us-west-2:012345678901:function:MyFunctionName*" ], "NotAction": [ "lambda:Invoke*" ], "Effect": "Allow" } ] } ``` this PR | AWS IAM Policy Creator ---|--- AddPermission | AddPermission CreateAlias | CreateAlias CreateFunction | CreateFunction CreateFunctionUrlConfig | CreateFunctionUrlConfig DeleteAlias | DeleteAlias DeleteFunction | DeleteFunction DeleteFunctionCodeSigningConfig | DeleteFunctionCodeSigningConfig DeleteFunctionConcurrency | DeleteFunctionConcurrency DeleteFunctionEventInvokeConfig | DeleteFunctionEventInvokeConfig DeleteFunctionUrlConfig | DeleteFunctionUrlConfig ❌ missing in data source | DeleteProvisionedConcurrencyConfig DisableReplication | DisableReplication EnableReplication | EnableReplication GetAlias | GetAlias GetFunction | GetFunction GetFunctionCodeSigningConfig | GetFunctionCodeSigningConfig GetFunctionConcurrency | GetFunctionConcurrency GetFunctionConfiguration | GetFunctionConfiguration GetFunctionEventInvokeConfig | GetFunctionEventInvokeConfig GetFunctionUrlConfig | GetFunctionUrlConfig GetPolicy | GetPolicy ❌ missing in data source | GetProvisionedConcurrencyConfig GetRuntimeManagementConfig | GetRuntimeManagementConfig ListAliases | ListAliases ListFunctionEventInvokeConfigs | ListFunctionEventInvokeConfigs ListFunctionUrlConfigs | ListFunctionUrlConfigs ListProvisionedConcurrencyConfigs | ListProvisionedConcurrencyConfigs ListTags | ListTags ListVersionsByFunction | ListVersionsByFunction PublishVersion | PublishVersion PutFunctionCodeSigningConfig | PutFunctionCodeSigningConfig PutFunctionConcurrency | PutFunctionConcurrency PutFunctionEventInvokeConfig | PutFunctionEventInvokeConfig ❌ missing in data source | PutProvisionedConcurrencyConfig PutRuntimeManagementConfig | PutRuntimeManagementConfig RemovePermission | RemovePermission TagResource | TagResource UntagResource | UntagResource UpdateAlias | UpdateAlias UpdateFunctionCode | UpdateFunctionCode UpdateFunctionCodeSigningConfig | UpdateFunctionCodeSigningConfig UpdateFunctionConfiguration | UpdateFunctionConfiguration UpdateFunctionEventInvokeConfig | UpdateFunctionEventInvokeConfig UpdateFunctionUrlConfig | UpdateFunctionUrlConfigTest case 2. multiple resources, multiple NotActions
```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": [ "s3:Put*", "s3:*Bucket*", "s3:*Configuration*", "s3:Delete*", "s3:*ACL*", "s3:*Version*", "s3:*Replica*" ], "Resource": [ "arn:aws:s3:::a-service-static", "arn:aws:s3:::a-service-static/*" ] } ] } ``` this PR | AWS IAM Policy Creator -- | -- s3:AbortMultipartUpload | AbortMultipartUpload s3:BypassGovernanceRetention | BypassGovernanceRetention s3:GetObject | GetObject s3:GetObjectAttributes | GetObjectAttributes s3:GetObjectLegalHold | GetObjectLegalHold s3:GetObjectRetention | GetObjectRetention s3:GetObjectTagging | GetObjectTagging s3:GetObjectTorrent | GetObjectTorrent s3:ListMultipartUploadParts | ListMultipartUploadParts s3:RestoreObject | RestoreObject ssm:SendCommand 🤔 | - `ssm:SendCommand` contains `resource_type: bucket` in iam-dataset. That is the reason `ssm:SendCommand` appears in this PR. However, I am not sure it is not listed in AWS IAM Policy Creator. I guess it is a negligible difference. Not perfect, but better than now.