-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependent actions allow broader permissions with wildcard #382
Labels
bug
Something isn't working
Comments
knastase
changed the title
Dependent actions allow broader permissions with wildcard
Dependant actions allow broader permissions with wildcard
Dec 29, 2021
knastase
changed the title
Dependant actions allow broader permissions with wildcard
Dependent actions allow broader permissions with wildcard
Dec 29, 2021
@knasty51 - right on! Would you mind sending that remediation in as a PR? thanks so much for all of your contributions recently - you rock! |
1st attempt - #395 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am not sure if this was a conscious design decision or not. Dependent actions are always added with wildcards (*) and may not be the expected behavior.
Example
When generating a policy document for write actions on a KMS key ARN, the dependent actions are added as wildcards which could lead to granting more permissions than anticipated.
kms:ReplicateKey
is a write action that is added when I specify a key ARN (as designed)Two dependent actions of it are
kms:CreateKey
andkms:PutKeyPolicy
I understand
kms:CreateKey
has no resource requirements and is added as a wildcard.kms:PutKeyPolicy
on the other hand CAN take a key ARN as a resource constraint but is indiscriminately added as a wildcard action as well. This leads to the generated policy being able to put a key policy on any KMS key (if a key has the default key policy or an overly permissive one)Observed behavior
Expected behavior
Possible remediation
I attempted to add a bit of code to
writing/sid_group.py
to add the dependent action to the same SID as the other actions if they share the same resource constraint (but part of a different access_level).The text was updated successfully, but these errors were encountered: