Skip to content

Checker IAM evaluation is not correct #70

Open
Open
Checker IAM evaluation is not correct#70
@psantus

Description

@psantus
psantus
opened on Jun 13, 2024

IAM evaluation relies on aws iam simulate-principal-policy but I have noticed that this can give surprising/false results.

For instance I'm using a role with AdministratorAccess managed policy attached to it, and the simulator returns implicitDeny!!

> aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::<redacted>:role/<redacted> --action-names ecs:ExecuteCommand --resource-arns arn:aws:ecs:eu-west-3:<redacted>:task/<redacted> --profile <redacted>
{
    "EvaluationResults": [
        {
            "EvalActionName": "ecs:ExecuteCommand",
            "EvalResourceName": "arn:aws:ecs:eu-west-3:<redacted>:task/<redacted>",
            "EvalDecision": "implicitDeny",
            "MatchedStatements": [],
            "MissingContextValues": [],
            "OrganizationsDecisionDetail": {
                "AllowedByOrganizations": false
            }
        }
    ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions