pacu
pacu copied to clipboard
RhinoSecurityLabs
Can not parse IAM NotResource Element
Pacu expects the IAM Policyblocks to always have the structure Effect, Action, Resource. But AWS allows for a different definition of which resources are affected. The NotResource definition. ( https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html ). For Pacu this always ends in an Key Error since the Key Resource that Pacu expects and needs to function does not exist.
The error log looks like this: Traceback (most recent call last): File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 1716, in run_gui self.idle() File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 1598, in idle self.idle() File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 1598, in idle self.idle() File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 1598, in idle self.idle() [Previous line repeated 15 more times] File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 1596, in idle self.parse_command(command) File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 643, in parse_command self.parse_exec_module_command(command) File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 786, in parse_exec_module_command self.exec_module(command) File "/home/.local/lib/python3.7/site-packages/pacu/main.py", line 996, in exec_module summary_data = module.main(command[2:], self) File "/home/.local/lib/python3.7/site-packages/pacu/modules/iam__enum_permissions/main.py", line 256, in main role = parse_attached_policies(client, attached_policies, role) File "/home/.local/lib/python3.7/site-packages/pacu/modules/iam__enum_permissions/main.py", line 498, in parse_attached_policies user = parse_document(document, user) File "/home/.local/lib/python3.7/site-packages/pacu/modules/iam__enum_permissions/main.py", line 635, in parse_document if isinstance(statement['Resource'], list): <class 'KeyError'>: 'Resource'
And our IAM policyblock that causes this is: { "Action": [ "s3:GetObject*", "s3:PutObject*", "s3:DeleteObject*" ], "Effect": "Deny", "NotResource": [ "arn:aws:s3::xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ] },
