Demonstration that AWS IAM policy evaluation docs are incorrect

Overview

The flowchart from the AWS IAM policy evaluation documentation page, as of 2021-09-12, and dating back to at least 2018-12-27, is the following:

Flowchart

The flowchart indicates that an Allow in a resource policy causes a final decision of Allow, before permissions boundaries have a chance to cause an implicit Deny. This would mean a resource policy could unilaterally grant access to a principal, circumventing its permissions boundary. However, this is only partially correct.

Resource policies cannot unilaterally grant access to an IAM role but can unilaterally grant access to particular role sessions, that is, the thing that is created by calling AssumeRole. This is mentioned in the docs here, illustrated with the following diagram, though this information is excluded from subsequent diagrams about SCPs and session policies.

VennDiagram

This is true for assumed role sessions created with AssumeRole (and presumably AssumeRoleWithSAML and AssumeRoleWithWebIdentity), where the principal in the resource policy is the assumed role session ARN, which is retrievable through the GetCallerIdentity API, which does not require permissions.

The documentation is unclear on IAM users. In adjacent paragraphs here, the documentation states:

Within an account, an implicit deny in a permissions boundary does not limit the permissions granted to an IAM user by a resource-based policy.

Within an account, an implicit deny in a permissions boundary does limit the permissions granted to the ARN of the underlying [...] IAM user by the resource-based policy.

It's possible the latter statement about an "IAM user" is actually about a federated user in an IAM role (using a "Federation" principal? Or is this about session for an IAM user through GetFederationToken? What's the behavior with GetSessionToken for an IAM user?

Verification

For an IAM role with a permissions boundary, role policy, and resource policy, none with any Denys, the possible combinations of Allows in the policy have the following results:

Role as resource policy principal

Permissions Boundary Role Policy Resource Policy Result
- - Allow Deny
- Allow Allow Deny
Allow Allow - Allow
Allow - Allow Allow
Allow Allow Allow Allow
Allow - - Deny
- Allow - Deny

Assumed role session as resource policy principal

Permissions Boundary Role Policy Resource Policy Result
- - Allow Allow
- Allow Allow Allow
Allow Allow - Allow
Allow - Allow Allow
Allow Allow Allow Allow
Allow - - Deny
- Allow - Deny

The code in this repo verifies this.

Run pipenv install and then test.py. Use --profile on test.py to make it use a config profile.

This will create a stack named permissions-boundary-test with a role, and managed policy (for the role's permissions boundary), and an S3 bucket. It will run the tests against the stack using the role as the principal in the bucket policy, and then create an assumed role session, update the stack to use the assumed role session as the principal in the bucket policy, and run the tests.

Owner
Ben Kehoe
Cloud Robotics Research Scientist at iRobot | AWS Serverless Hero
Ben Kehoe
30 Days of google cloud leaderboard website

30 Days of Cloud Leaderboard This is a leaderboard for the students of Thapar, Patiala who are participating in the 2021 30 days of Google Cloud Platf

Developer Student Clubs TIET 13 Aug 25, 2022
Essential Document Generator

Essential Document Generator Dead Simple Document Generation Whether it's testing database performance or a new web interface, we've all needed a dead

Shane C Mason 59 Nov 11, 2022
My solutions to the Advent of Code 2021 problems in Go and Python 🎄

🎄 Advent of Code 2021 🎄 Summary Advent of Code is an annual Advent calendar of programming puzzles. This year I am doing it in Go and Python. Runnin

Orfeas Antoniou 16 Jun 16, 2022
A tutorial for people to run synthetic data replica's from source healthcare datasets

Synthetic-Data-Replica-for-Healthcare Description What is this? A tailored hands-on tutorial showing how to use Python to create synthetic data replic

11 Mar 22, 2022
Sphinx Bootstrap Theme

Sphinx Bootstrap Theme This Sphinx theme integrates the Bootstrap CSS / JavaScript framework with various layout options, hierarchical menu navigation

Ryan Roemer 584 Nov 16, 2022
A Json Schema Generator

JSON Schema Generator Author : Eru Michael About A Json Schema Generator. This is a generic program that: Reads a JSON file similar to what's present

1 Nov 10, 2021
SqlAlchemy Flask-Restful Swagger Json:API OpenAPI

SAFRS: Python OpenAPI & JSON:API Framework Overview Installation JSON:API Interface Resource Objects Relationships Methods Custom Methods Class Method

Thomas Pollet 361 Nov 16, 2022
An open-source script written in python just for fun

Owersite Owersite is an open-source script written in python just for fun. It do

大きなペニスを持つ少年 7 Sep 21, 2022
Generates, filters, parses, and cleans data regarding the financial disclosures of judges in the American Judicial System

This repository contains code that gets data regarding financial disclosures from the Court Listener API main.py: contains driver code that interacts

Ali Rastegar 2 Aug 06, 2022
Documentation of the QR code found on new Austrian ID cards.

Austrian ID Card QR Code This document aims to be a complete documentation of the format used in the QR area on the back of new Austrian ID cards (Per

Gabriel Huber 9 Dec 12, 2022
300+ Python Interview Questions

300+ Python Interview Questions

Pradeep Kumar 1.1k Jan 02, 2023
Plover jyutping - Plover plugin for Jyutping input

Plover plugin for Jyutping Installation Navigate to the repo directory: cd plove

Samuel Lo 1 Mar 17, 2022
A repository of links with advice related to grad school applications, research, phd etc

A repository of links with advice related to grad school applications, research, phd etc

Shaily Bhatt 946 Dec 30, 2022
Python bindings to OpenSlide

OpenSlide Python OpenSlide Python is a Python interface to the OpenSlide library. OpenSlide is a C library that provides a simple interface for readin

OpenSlide 297 Dec 21, 2022
Members: Thomas Longuevergne Program: Network Security Course: 1DV501 Date of submission: 2021-11-02

Mini-project report Members: Thomas Longuevergne Program: Network Security Course: 1DV501 Date of submission: 2021-11-02 Introduction This project was

1 Nov 08, 2021
A Python Package To Generate Strong Passwords For You in Your Projects.

shPassGenerator Version 1.0.6 Ready To Use Developed by Shervin Badanara (shervinbdndev) on Github Language and technologies used in This Project Work

Shervin 11 Dec 19, 2022
Gtech μLearn Sample_bot

Ser_bot Gtech μLearn Sample_bot Do Greet a newly joined member in a channel (random message) While adding a reaction to a message send a message to a

Jerin Paul 1 Jan 19, 2022
advance python series: Data Classes, OOPs, python

Working With Pydantic - Built-in Data Process ========================== Normal way to process data (reading json file): the normal princiople, it's f

Phung Hưng Binh 1 Nov 08, 2021
🐱‍🏍 A curated list of awesome things related to Hugo themes.

awesome-hugo-themes Automated deployment @ 2021-10-12 06:24:07 Asia/Shanghai &sorted=updated Theme Author License GitHub Stars Updated Blonde wamo MIT

13 Dec 12, 2022
A course-planning, course-map rendering and GPA-calculation web service, designed for the SFU (Simon Fraser University) student.

SFU Course Planner What is the overall goal of the project (i.e. what does it do, or what problem is it solving)? As the title suggests, this project

Ash Peng 1 Oct 21, 2021