You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ok, I understand the limitation in the api. I was looking for check-permissions to tell me if there was any allow for that action regardless of resource arns in the policy, but the simulate-principal-policy doesn't answer such a question. So I'll modify the request to ask that check-permissions be enhanced to support passing a list of arns, passing them in the api's resource-arns parameter. This would enable the use of checking if a given instance has GetObject access to a specific sensitive bucket or any access to a list of buckets.
okay so grow a resource-arns: attribute here for passthrough. i think we want some behavior validation, as i suspect that this is a literal string match as opposed to useful evaluation, ie wildcard in arn vs individual bucket resource (or even worse say path in bucket). ie. the actual api here needs improvements for more scenarios to be useful (not sure it handles permission boundaries, org scp, etc either).
When a ec2 resource policy includes the fillter:
it will fail to match if the Resource in the relevant IAM policy is anything other than "*", such as
The text was updated successfully, but these errors were encountered: