Closed jsmartin closed 4 years ago
Hey, great question. Thanks for opening.
I'm glad you pointed this out with Elasticache. It's very strange that the resources are not showing up for that service. I'll dig into this.
Regarding the other 47 services - most of these services do not support resource ARN restrictions. For example, AWS IQ's Resource Types section says that 'To allow access to AWS IQ, specify “Resource”: “*” in your policy.'
So, when the output of policy_sentry query arn-table --service iq
returns nothing, that is by design - it is not supposed to return any values.
However, this should not be the case for Elasticache. I'll dig into that. In the meantime let me know if you have any other comments or questions - happy to help.
Thanks for the quick response. Crazy the only one I looked in detail is the one that actually is a bug. For the other 47, is it possible to know whether it is because the docs parsed the fact that docs say ' specify “Resource”: “*” in your policy.' vs some other reason? Maybe you already cover this in your doc parser (haven't reviewed it).
Yeah that is pretty crazy lol. So, just to be sure - I manually went to each of the pages for those other 47 services and confirmed that the data is being collected properly. Those other 47 all require the use of *
to access the service so we are good there.
So, I think this happened due to a few factors:
The Amazon docs did not contain ElastiCache ARN information at the time of the last release. See how the updates to the Elasticache resource ARN table was brand new between version 0.8.5 and 0.8.6. https://github.com/salesforce/policy_sentry/blame/master/policy_sentry/shared/data/docs/list_amazonelasticache.html#L2359
We have a monthly GitHub action that updates the IAM Database. For whatever reason, the monthly IAM update script updated that HTML docs but did not update the IAM definition with those resources
It probably did not help that we had some issues that @L-E-iT highlighted about how the IAM database was not pointing to the local database json when it existed on the disk, in #220.
I am taking this action:
Using the latest version (0.8.6), have no locally generated IAM database. The following code shows me that there are 42/226 services that are missing arn info.
This returns:
Just to do a spot-check I chose one service (elasticache), looked in
policy_sentry/shared/data/iam-definition.json
and could not find any ARN data for elasticache.That data is found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html
Probably something changed with the ARN format in the docs?