search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.41k stars 169 forks source link

S3 Bucket Policy support #84

Closed christophetd closed 2 years ago

christophetd commented 3 years ago

Would be super useful to have support for S3 bucket policies! Is this something on your roadmap?

ncc-erik-steringer commented 3 years ago

Resource policies are supported as of v1.1.0 with the query/argquery commands. You need to specify either the --resource-policy-text param, or the --with-resource-policy flag.

For --resource-policy-text , this lets you input a bucket policy that is included in evaluation.

For --with-resource-policy, this grabs the related resource policy that gets cached during graph create. S3 is supported for this particular functionality in v1.1.0+, as well as SNS+SQS+KMS. We also added Secrets Manager support in the v1.1.2-dev branch. Note that the "resource" component of your query must have a specific bucket or object, no wildcards. Additionally, for S3, you'll have to specify the --resource-owner parameter with the account ID of the owner of the S3 bucket (since the ARN doesn't have it).

christophetd commented 3 years ago

Sounds great, thanks for the instructions! Do you feel like it would be useful to showcase this somewhere in the wiki?

ncc-erik-steringer commented 3 years ago

Could probably fit it in https://github.com/nccgroup/PMapper/wiki/Query-Reference or https://github.com/nccgroup/PMapper/wiki/CLI-Reference#query (plus argquery section). Thoughts on the best place for it?

christophetd commented 3 years ago

How about a page for common use-cases instead of being embedded in a reference?