iamlive icon indicating copy to clipboard operation
iamlive copied to clipboard

Published 20 hours ago verified publisher icon iann0036

AWS provider tag actions not tracked

Open chrodriguez opened this issue 1 year ago • 1 comments

Hi, first of all, I need to say this project is awesome! I've always wondered how to solve writing least privilege policies until I met iamlive. Thank's for writing this useful tool.

I've been working in many scenarios tracking policies within AWS, while running terraform. All actions are correctly tracked but when I've assumed a role with generated policy, I've always get errors when trying to tag objects. No matter which object is tagged, this actions seems to not been tracked. For example, creating a role using terraform using this resorce:

resource "aws_iam_role" "xxxxxx" {
  name  = "SomeRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {.... },
    ]
  })

  tags = {
    Name = "SomeRoleTag"
  }
}

when run using terraform, iam:TagRole action is not tracked.

Thanks in advance

chrodriguez avatar Nov 07 '23 12:11 chrodriguez

Hey @chrodriguez,

Thanks for raising!

This is certainly a dataset issue, specifically that the tagging permission is conditional on the presence of fields which needs some pretty detailed analysis that's not yet done. I've defined the structure for this but am yet to write up the full mappings.

It's coming, but fair warning it'll take some time. You'll unfortunately need to tweak your output policy manually in the interim.

iann0036 avatar Nov 07 '23 12:11 iann0036