search

iann0036 / aws.permissions.cloud

A crowdsourced AWS IAM permissions reference.
https://aws.permissions.cloud
MIT License
87 stars 9 forks source link

Better NotAction Handling #4

Closed jasonwadsworth closed 1 year ago

jasonwadsworth commented 2 years ago

I have a policy that includes a statement similar to this:

        {
            "Resource": [
                "arn:aws:lambda:us-west-2:012345678901:function:MyFunctionName*"
            ],
            "NotAction": [
                "lambda:Invoke*"
            ],
            "Effect": "Allow"
        }

This policy is intended to grant access to my CI/CD pipeline to make changes to the function, but not to execute the function. When evaluating this policy I get 10K plus lines of permissions, which are mostly inaccurate due to the resource restriction. Ideally the evaluation would identify the limited resource and only show permissions that can be included. I'd even consider it a huge improvement if it just limited the results by the service(s) of the resource arn(s).

iann0036 commented 2 years ago

Great suggestion @jasonwadsworth,

I'll have to do a bit of research on this as I suspect there may be unexpected inclusions under some circumstances. Will let you know.