PMapper icon indicating copy to clipboard operation
PMapper copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

Permission boundaries not considered when querying

Open nimaft opened this issue 2 years ago • 0 comments

Question

I have a role with administrative privileges (let's call it privileged-role) and it has a permission boundary attached to it denying iam actions. However when I run the following query: pmapper --account ACC# query -s 'who can do iam:*' I get results like this:

role/rdkLambdaRole-KOQRA8051N84 CAN call action iam:* for resource * THRU role/privileged-role
   role/rdkLambdaRole-KOQRA8051N84 can access via sts:AssumeRole role/cdk-hnb659fds-deploy-role 
   role/cdk-hnb659fds-deploy-role can create a stack in CloudFormation to access role/privileged-role
   role/privileged-role IS authorized to call action iam:* for resource *

I also tried using conditions to take permission boundaries into account, but the results are the same. Sample query: pmapper --account ACC# query -s 'who can do iam:* with * when iam:PermissionsBoundary=arn:aws:iam::ACC#:policy/perm_boundary'

Did the Wiki Have an Answer?

I did not find any answers in Wiki. Not a lot of information can be found on using conditions with queries. I'd add the answer in "Query Reference".

nimaft avatar Dec 19 '22 23:12 nimaft