requires both identity check and resource check for cross-account checks

fixes #27

Author: Skybound1

iamspy/parse.py

@@ -519,7 +519,7 @@ def generate_evaluation_logic_checks(model_vars, source: Optional[str], resource
     )
     constraints.append(
         z3.Or(
-            z3.And(z3.String("s_account") != z3.String("r_account"), resource_check),
+            z3.And(z3.String("s_account") != z3.String("r_account"), identity_check, resource_check),
             z3.String("s_account") == z3.String("r_account"),
         )
     )

tests/test_integration.py

@@ -96,6 +96,15 @@
             ),
             True,
         ),
+        (
+            {"gaads": ["basic-allow.json"], "resources": ["cross-account-rp.json"]},
+            (
+                "arn:aws:iam::123456789012:role/name2",
+                "lambda:InvokeFunction",
+                "arn:aws:lambda:eu-west-1:111111111111:function:helloworld",
+            ),
+            False,
+        ),
         (
             {"gaads": ["allow-with-conditions.json"]},
             (