fix(iam): gate AssumeRoot on RootSessions + empty NotAction/NotResource matches nothing#1930
Merged
Merged
Conversation
…ce matches nothing
Two auth-when-enabled correctness fixes:
- AssumeRoot minted :root credentials for an arbitrary TargetPrincipal
unconditionally, so a single sts:AssumeRoot grant escalated to root over every
account with no organization trust. It now requires the centralized
root-access RootSessions feature to be enabled in the caller's account (the
org-level gate AWS enforces, EnableOrganizationsRootSessions); without it the
call is denied (checked after input validation so malformed requests still
surface their validation error). (5.1)
- An empty NotAction/NotResource matched everything (`[].all(...)` is vacuously
true), so a degenerate `{Effect:Allow, NotAction:[], Resource:*}` — which a
resource policy with no put-time validation can carry — became a public
allow-all. Empty NotAction/NotResource now match nothing (deny-by-default;
AWS rejects such policies anyway). (5.2)
Unit tests: AssumeRoot denied without RootSessions (and the existing success
tests enable it first); empty NotAction and empty NotResource both deny.
The 5.1 fix required organizations_root_sessions unconditionally, which broke the recorded AWS baseline (conformance sts_assume_root) where same-account AssumeRoot succeeds with no org setup. The actual escalation risk is cross-account: a single sts:AssumeRoot grant minting :root over every member account. Restrict the RootSessions gate to targets in a different account than the caller; same-account AssumeRoot (member root managing itself) is always allowed. Adds a same-account-without-RootSessions success test; existing cross-account success/denial tests unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary (5.1 + 5.2, auth-when-enabled)
:rootcredentials for an arbitraryTargetPrincipalunconditionally, so a singlests:AssumeRootgrant escalated to root over every account with no organization trust. It now requires the centralized root-access RootSessions feature enabled in the caller's account (the org-level gate AWS enforces, set viaEnableOrganizationsRootSessions); without it the call is denied. Checked after input validation so malformed requests still surface their validation error first.NotAction/NotResourcematched everything (5.2) —[].all(...)is vacuously true — so a degenerate{Effect:Allow, NotAction:[], Resource:*}(which a resource policy with no put-time validation can carry) became a public allow-all. EmptyNotAction/NotResourcenow match nothing (deny-by-default; AWS rejects such policies anyway).Non-code surface
Auth enforcement correctness; no new API surface. No SDK/docs/metadata change applies (checked).
Test plan
assume_root_denied_without_root_sessions(and the existing success tests now enable RootSessions first).empty_not_action_or_not_resource_matches_nothing.cargo test -p fakecloud-iam --lib(494) passes; clippy clean.Summary by cubic
Fix two IAM evaluation issues: gate cross-account AssumeRoot on RootSessions and make empty NotAction/NotResource match nothing. Prevents cross-account root escalation and accidental allow-all.
Written for commit 473998c. Summary will update on new commits.