Demonstration that AWS IAM policy evaluation docs are incorrect

Overview

The flowchart from the AWS IAM policy evaluation documentation page, as of 2021-09-12, and dating back to at least 2018-12-27, is the following:

Flowchart

The flowchart indicates that an Allow in a resource policy causes a final decision of Allow, before permissions boundaries have a chance to cause an implicit Deny. This would mean a resource policy could unilaterally grant access to a principal, circumventing its permissions boundary. However, this is only partially correct.

Resource policies cannot unilaterally grant access to an IAM role but can unilaterally grant access to particular role sessions, that is, the thing that is created by calling AssumeRole. This is mentioned in the docs here, illustrated with the following diagram, though this information is excluded from subsequent diagrams about SCPs and session policies.

VennDiagram

This is true for assumed role sessions created with AssumeRole (and presumably AssumeRoleWithSAML and AssumeRoleWithWebIdentity), where the principal in the resource policy is the assumed role session ARN, which is retrievable through the GetCallerIdentity API, which does not require permissions.

The documentation is unclear on IAM users. In adjacent paragraphs here, the documentation states:

Within an account, an implicit deny in a permissions boundary does not limit the permissions granted to an IAM user by a resource-based policy.

Within an account, an implicit deny in a permissions boundary does limit the permissions granted to the ARN of the underlying [...] IAM user by the resource-based policy.

It's possible the latter statement about an "IAM user" is actually about a federated user in an IAM role (using a "Federation" principal? Or is this about session for an IAM user through GetFederationToken? What's the behavior with GetSessionToken for an IAM user?

Verification

For an IAM role with a permissions boundary, role policy, and resource policy, none with any Denys, the possible combinations of Allows in the policy have the following results:

Role as resource policy principal

Permissions Boundary Role Policy Resource Policy Result
- - Allow Deny
- Allow Allow Deny
Allow Allow - Allow
Allow - Allow Allow
Allow Allow Allow Allow
Allow - - Deny
- Allow - Deny

Assumed role session as resource policy principal

Permissions Boundary Role Policy Resource Policy Result
- - Allow Allow
- Allow Allow Allow
Allow Allow - Allow
Allow - Allow Allow
Allow Allow Allow Allow
Allow - - Deny
- Allow - Deny

The code in this repo verifies this.

Run pipenv install and then test.py. Use --profile on test.py to make it use a config profile.

This will create a stack named permissions-boundary-test with a role, and managed policy (for the role's permissions boundary), and an S3 bucket. It will run the tests against the stack using the role as the principal in the bucket policy, and then create an assumed role session, update the stack to use the assumed role session as the principal in the bucket policy, and run the tests.

Owner
Ben Kehoe
Cloud Robotics Research Scientist at iRobot | AWS Serverless Hero
Ben Kehoe
Collections of Beautiful Latex Snippets

HandyLatex Collections of Beautiful Latex Snippets Table πŸ‘‰ Succinct table with bold separation line and gray text %################## Dependencies ##

Xintao 15 Apr 11, 2022
The source code that powers readthedocs.org

Welcome to Read the Docs Purpose Read the Docs hosts documentation for the open source community. It supports Sphinx docs written with reStructuredTex

Read the Docs 7.4k Dec 25, 2022
πŸ’― Coolest snippets

nvim-snippets This was originally included in my personal Neovim setup, but I didn't like having all the snippets there so I decided to have them sepa

Eliaz Bobadilla 6 Aug 31, 2022
Material for the ros2 crash course

Material for the ros2 crash course

Emmanuel Dean 1 Jan 22, 2022
Count the number of lines of code in a directory, minus the irrelevant stuff

countloc Simple library to count the lines of code in a directory (excluding stuff like node_modules) Simply just run: countloc node_modules args to

Anish 4 Feb 14, 2022
Python-samples - This project is to help someone need some practices when learning python language

Python-samples - This project is to help someone need some practices when learning python language

Gui Chen 0 Feb 14, 2022
πŸ“š Papers & tech blogs by companies sharing their work on data science & machine learning in production.

applied-ml Curated papers, articles, and blogs on data science & machine learning in production. βš™οΈ Figuring out how to implement your ML project? Lea

Eugene Yan 22.1k Jan 03, 2023
Get link preview of a website.

Preview Link You may have seen a preview of a link with a title, image, domain, and description when you share a link on social media. This preview ha

SREEHARI K.V 8 Jan 08, 2023
πŸ“˜ OpenAPI/Swagger-generated API Reference Documentation

Generate interactive API documentation from OpenAPI definitions This is the README for the 2.x version of Redoc (React-based). The README for the 1.x

Redocly 19.2k Jan 02, 2023
This is a tool to make easier brawl stars modding using csv manipulation

Brawler Maker : Modding Tool for Brawl Stars This is a tool to make easier brawl stars modding using csv manipulation if you want to support me, just

6 Nov 16, 2022
Markdown documentation generator from Google docstrings

mkgendocs A Python package for automatically generating documentation pages in markdown for Python source files by parsing Google style docstring. The

Davide Nunes 44 Dec 18, 2022
Ultimaker Cura 2 Mooraker Upload Plugin

Klipper & Cura - Cura2MoonrakerPlugin Allows you to upload Gcode directly from Cura to your Klipper-based 3D printer (Fluidd, Mainsailos etc.) using t

214 Jan 03, 2023
The Python Dict that's better than heroin.

addict addict is a Python module that gives you dictionaries whose values are both gettable and settable using attributes, in addition to standard ite

Mats Julian Olsen 2.3k Dec 22, 2022
✨ Real-life Data Analysis and Model Training Workshop by Global AI Hub.

πŸŽ“ Data Analysis and Model Training Course by Global AI Hub Syllabus: Day 1 What is Data? Multimedia Structured and Unstructured Data Data Types Data

Global AI Hub 71 Oct 28, 2022
Convert excel xlsx file's table to csv file, A GUI application on top of python/pyqt and other opensource softwares.

Convert excel xlsx file's table to csv file, A GUI application on top of python/pyqt and other opensource softwares.

David A 0 Jan 20, 2022
Automatically open a pull request for repositories that have no CONTRIBUTING.md file

automatic-contrib-prs Automatically open a pull request for repositories that have no CONTRIBUTING.md file for a targeted set of repositories. What th

GitHub 8 Oct 20, 2022
πŸ’»An open-source eBook with 101 Linux commands that everyone should know

This is an open-source eBook with 101 Linux commands that everyone should know. No matter if you are a DevOps/SysOps engineer, developer, or just a Linux enthusiast, you will most likely have to use

Ashfaque Ahmed 0 Oct 29, 2022
Second version of SQL-PYTHON-Practicas

SQLite-Python Acerca de | Autor Sobre el repositorio Segunda version de SQL-PYTHON-Practicas πŸ’» Tecnologias Visual Studio Code Python SQLite3 πŸ“– Requi

1 Jan 06, 2022
Flask-Rebar combines flask, marshmallow, and swagger for robust REST services.

Flask-Rebar Flask-Rebar combines flask, marshmallow, and swagger for robust REST services. Features Request and Response Validation - Flask-Rebar reli

PlanGrid 223 Dec 19, 2022
Near Zero-Overhead Python Code Coverage

Slipcover: Near Zero-Overhead Python Code Coverage by Juan Altmayer Pizzorno and Emery Berger at UMass Amherst's PLASMA lab. About Slipcover Slipcover

PLASMA @ UMass 325 Dec 28, 2022