Resource Policies include an additional Principal element in their statements, which has to match the calling principal for the statement to match. There is rudimentary resource policy handling already, we just need to flesh it out and add tests. We should also add options to the query subcommands to evaluate against a resource policy (string/file/API).
When there's a resource policy involved, the actual authorization check seems to differ between different services. In S3, the resource policy doesn't have to authorize the calling principal if the principal's IAM policies allow the call. This isn't true in KMS or IAM (trust docs). Need to examine the resource referenced in the resource policy to choose if we need the resource policy to allow in addition to the IAM policy or not.
[x] Resource Policy Evaluation (Local)
[x] Test cases for local evaluation
[x] Update query module to add methods or args for handling queries involving resource policies.
[x] Update query and argquery subcommands with args for including resource policies. (--resource-policy-string, --resource-policy-arn, and --resource-policy-file seem like a good mutually-exclusive group)
[x] Implement resource policy gathering/caching for S3, KMS, SNS, and SQS at a minimum.
[x] Implement "fetching" code for --resource-policy-arn parameter, S3, IAM, KMS, SNS, SQS for the bare minimum
Resource Policies include an additional
Principal
element in their statements, which has to match the calling principal for the statement to match. There is rudimentary resource policy handling already, we just need to flesh it out and add tests. We should also add options to thequery
subcommands to evaluate against a resource policy (string/file/API).When there's a resource policy involved, the actual authorization check seems to differ between different services. In S3, the resource policy doesn't have to authorize the calling principal if the principal's IAM policies allow the call. This isn't true in KMS or IAM (trust docs). Need to examine the resource referenced in the resource policy to choose if we need the resource policy to allow in addition to the IAM policy or not.
query
andargquery
subcommands with args for including resource policies. (--resource-policy-string
,--resource-policy-arn
, and--resource-policy-file
seem like a good mutually-exclusive group)--resource-policy-arn
parameter, S3, IAM, KMS, SNS, SQS for the bare minimum