check-permissions filter fails to match if Resource in IAM policy is anything other than "*"

[FireballDWF]

When a ec2 resource policy includes the fillter:

      - type: check-permissions
        match: allowed
        match-operator: or
        actions:
          - s3:GetObject
          - s3:* 

it will fail to match if the Resource in the relevant IAM policy is anything other than "*", such as

       {

            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::*/*"
        }

[kapilt]

thats per the documentation for simulate policy api, what are you suggesting? custodian won't be enumerating every arn permutation.

[FireballDWF]

Ok, I understand the limitation in the api. I was looking for check-permissions to tell me if there was any allow for that action regardless of resource arns in the policy, but the simulate-principal-policy doesn't answer such a question. So I'll modify the request to ask that check-permissions be enhanced to support passing a list of arns, passing them in the api's resource-arns parameter. This would enable the use of checking if a given instance has GetObject access to a specific sensitive bucket or any access to a list of buckets.

[kapilt]

okay so grow a resource-arns: attribute here for passthrough. i think we want some behavior validation, as i suspect that this is a literal string match as opposed to useful evaluation, ie wildcard in arn vs individual bucket resource (or even worse say path in bucket). ie. the actual api here needs improvements for more scenarios to be useful (not sure it handles permission boundaries, org scp, etc either).