amazon-ecs-exec-checker icon indicating copy to clipboard operation
amazon-ecs-exec-checker copied to clipboard

Published 20 hours ago • verified publisher icon aws-containers

Checker IAM evaluation is not correct

Open psantus opened this issue 8 months ago • 0 comments

IAM evaluation relies on aws iam simulate-principal-policy but I have noticed that this can give surprising/false results.

For instance I'm using a role with AdministratorAccess managed policy attached to it, and the simulator returns implicitDeny!!

> aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::<redacted>:role/<redacted> --action-names ecs:ExecuteCommand --resource-arns arn:aws:ecs:eu-west-3:<redacted>:task/<redacted> --profile <redacted>
{
    "EvaluationResults": [
        {
            "EvalActionName": "ecs:ExecuteCommand",
            "EvalResourceName": "arn:aws:ecs:eu-west-3:<redacted>:task/<redacted>",
            "EvalDecision": "implicitDeny",
            "MatchedStatements": [],
            "MissingContextValues": [],
            "OrganizationsDecisionDetail": {
                "AllowedByOrganizations": false
            }
        }
    ]
}

psantus avatar Jun 13 '24 08:06 psantus