aws.permissions.cloud icon indicating copy to clipboard operation
aws.permissions.cloud copied to clipboard
verified publisher icon iann0036

Better NotAction Handling

Open jasonwadsworth opened this issue 4 years ago • 1 comments

I have a policy that includes a statement similar to this:

        {
            "Resource": [
                "arn:aws:lambda:us-west-2:012345678901:function:MyFunctionName*"
            ],
            "NotAction": [
                "lambda:Invoke*"
            ],
            "Effect": "Allow"
        }

This policy is intended to grant access to my CI/CD pipeline to make changes to the function, but not to execute the function. When evaluating this policy I get 10K plus lines of permissions, which are mostly inaccurate due to the resource restriction. Ideally the evaluation would identify the limited resource and only show permissions that can be included. I'd even consider it a huge improvement if it just limited the results by the service(s) of the resource arn(s).

jasonwadsworth avatar Nov 22 '21 22:11 jasonwadsworth

Great suggestion @jasonwadsworth,

I'll have to do a bit of research on this as I suspect there may be unexpected inclusions under some circumstances. Will let you know.

iann0036 avatar Nov 23 '21 21:11 iann0036