Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positives with Deny Actions in IAM Policy #111

Open
marcsantamaria-sky opened this issue Jun 27, 2023 · 1 comment
Open

False Positives with Deny Actions in IAM Policy #111

marcsantamaria-sky opened this issue Jun 27, 2023 · 1 comment

Comments

@marcsantamaria-sky
Copy link

marcsantamaria-sky commented Jun 27, 2023
edited

There can be false positives in CFRipper when an IAM policy has specific Actions with Deny Effect.

The issue seems to be caused because in "policy_document.py" the Denys are not taken into account.

The function "allowed_actions_with" is not excluding actions that have a Deny Effect.

pycfmodel/pycfmodel/model/resources/properties/policy_document.py

Lines 54 to 68 in 6a8f3d1

def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one action with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of [statements][pycfmodel.model.resources.properties.statement.Statement].
"""
return [
statement
for statement in self._statement_as_list()
if statement.actions_with(pattern) and self._is_statement_effect_allow(statement.Effect)
]

@jsoucheiron
Copy link
Member

It should be possible to improve this to remove actions when there are equivalent deny statements with the same target resource(s)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsoucheiron @marcsantamaria-sky