cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

AWS permission relationships: S3 GetObject does not work if `resource` refers to path under bucket

Open achantavy opened this issue 6 months ago • 0 comments

Description:

What issue is being seen? Describe what should be happening instead of the bug, for example: Cartography should not crash, the expected value isn't returned, the data schema is wrong, etc.

Say that the permission_relationships.yaml file is

- target_label: S3Bucket
  permissions:
  - S3:GetObject
  relationship_name: CAN_READ

and say that we have the following user-policy:

user: MyUser

Policy:
resource:
["arn:aws:s3:::my-bucket/*"]

action:
["s3:GetObject"]

Expectation: We expect that there should be an edge drawn from user to the bucket like

(:AWSUser{name:'MyUser'})-[:CAN_READ]->(:S3Bucket{name:'my-bucket'})

Actual: This does not happen because of the /* in the policy statement and because of the way that the string matching occurs in the permission relationship evaluation. GetObject can refer to the "/" and the "/*" underneath a given bucket.

Not sure on the best way to solve. Special casing this just for GetObject feels like it could get unwieldy. Still, worth writing down.

  • Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11913e2a44a4d4682506d8364a638ceac69] 0.105.0

achantavy avatar Jun 18 '25 06:06 achantavy