ncc-erik-steringer
commented
2 years ago In general we do not track edges where the source and destination Node are the same, which helps simplify other algorithms and eliminates redundancy for identifying effective permissions.
However, I think this would be a great idea for a new preset query. Right now the only real persistence check we have is for 2+ Node objects with edges that create a cycle between them (circular access finding from analysis):
It might be nice to create a persistence preset query that goes through one or more Node objects in a Graph to identify things like when someone can reassume a role (does this drop session policies?) or chains of Edge that go back to the source Node, etc.
RyanJarv
When a role attempts to assume it self an explicit allow in the trust policy is not strictly necessary for access. An explicit allow in the identity policy is sufficient.
This applies to the circular access check because role revocations do not effect very recently refreshed credentials. When a role can assume it self, a bash loop calling
aws sts assume-roleand exporting the new credentials to the environment will bypass a revocation triggered through the web UI.I still need to add tests, etc.. just wanted to open this in the mean time in case anyone has any thoughts on this.
Edit: Ok, just read the contributing section, I'll need to change the base and open an issue as well.