Closed christophetd closed 2 years ago
Resource policies are supported as of v1.1.0 with the query
/argquery
commands. You need to specify either the --resource-policy-text
param, or the --with-resource-policy
flag.
For --resource-policy-text
, this lets you input a bucket policy that is included in evaluation.
For --with-resource-policy
, this grabs the related resource policy that gets cached during graph create
. S3 is supported for this particular functionality in v1.1.0+, as well as SNS+SQS+KMS. We also added Secrets Manager support in the v1.1.2-dev
branch. Note that the "resource" component of your query must have a specific bucket or object, no wildcards. Additionally, for S3, you'll have to specify the --resource-owner
parameter with the account ID of the owner of the S3 bucket (since the ARN doesn't have it).
Sounds great, thanks for the instructions! Do you feel like it would be useful to showcase this somewhere in the wiki?
Could probably fit it in https://github.com/nccgroup/PMapper/wiki/Query-Reference or https://github.com/nccgroup/PMapper/wiki/CLI-Reference#query (plus argquery section). Thoughts on the best place for it?
How about a page for common use-cases instead of being embedded in a reference?
Would be super useful to have support for S3 bucket policies! Is this something on your roadmap?