aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

JsonDocumentFields does not support NotAction when parsing organization-level service control policies

Open jkoe-r7 opened this issue 5 years ago • 3 comments

Describe the bug

When parsing an org-level SCP using Policy.fromJson(), the policy id, effect, resource, and condition fields are parsed correctly but the NotAction field is not picked up because it is not in the list of JsonDocumentFields constants.

Expected Behavior

{"Version":"2012-10-17","Statement":[{"Sid":"LimitActions","Effect":"Deny","NotAction":["ec2:","organizations:","sts:"],"Resource":"","Condition":{"StringNotEquals":{"aws:RequestedRegion":"us-east-1"}}}]}

after being parsed into a Policy object then parsed back into JSON should contain the same NotAction values instead of omitting like so:

{"Version":"2012-10-17","Statement":[{"Sid":"RequireInEuWest1","Effect":"Deny","Resource":["*"],"Condition":{"StringNotEquals":{"aws:RequestedRegion":["us-east-1"]}}}]}

Current Behavior

{"Version":"2012-10-17","Statement":[{"Sid":"LimitActions","Effect":"Deny","NotAction":["ec2:","organizations:","sts:"],"Resource":"","Condition":{"StringNotEquals":{"aws:RequestedRegion":"us-east-1"}}}]}

is transformed into ->

{"Version":"2012-10-17","Statement":[{"Sid":"RequireInEuWest1","Effect":"Deny","Resource":["*"],"Condition":{"StringNotEquals":{"aws:RequestedRegion":["us-east-1"]}}}]}

Steps to Reproduce

Create an org-level service control policy with a Deny statement that contains the NotAction field. Call Policy.fromJson() on a String containing the policy text, then call Policy.toJson() to see what the output is and if it is identical.

Possible Solution

Either include parsing NotAction field in the fromJson parser/JsonDocumentFields constants or provide separate parser specifically for parsing org-level policies which can have the NotAction field.

Context

I'm trying to see how much access service control policies will allow a specific IAM role before using the role to perform actions.

Your Environment

  • AWS Java SDK version used: 1.11.774
  • JDK version used: 1.8
  • Operating System and version:

jkoe-r7 avatar May 19 '20 02:05 jkoe-r7

@jkoe-r7 thank you for reporting this, I was able to reproduce. It's funny that NotResource is implemented, but NotAction and NotPrincipal elements are not.

debora-ito avatar May 22 '20 04:05 debora-ito

I'm also facing this and it's quite misleading, for example if someone automates stuff and checks for empty action, then a policy may be giving a lot of permissions due to "NotAction" not being picked up but may seem otherwise.

karanb192 avatar Aug 18 '20 15:08 karanb192

I'm facing this problem as well, any idea on timeline to fix bug or a work around?

ShutUpChips15 avatar Jan 05 '22 02:01 ShutUpChips15