feat(s3,sqs,sns): wire Phase 1 IAM enforcement

[vieiralucas]

Summary

Extends the IAM enforcement surface (started in PR #395 with IAM+STS) to cover S3 + SQS + SNS — the three most-used queue/storage services. Combined with the IAM+STS coverage from #395, this matches the same enforcement surface LocalStack Pro ships for its paid IAM feature.

SQS

• All 20 SQS actions map to sqs:<Action>.
• Queue ARN is built from QueueName (CreateQueue, GetQueueUrl) or from the trailing segment of QueueUrl for queue-targeted calls. ListQueues → *.
• Account id sourced from principal.account_id (Feature proposal: multi-account isolation within a single fakecloud instance #381 note).

SNS

• All 34 SNS actions map to sns:<Action>.
• Topic-targeted actions read TopicArn; subscription-targeted actions read SubscriptionArn; platform-app/endpoint/tagging actions read their respective *Arn params.
• CreateTopic builds the to-be-created topic ARN from the principal's account + Name.
• Account-scoped actions (ListTopics, SetSMSAttributes, ...) → *.

S3

• All 74 S3 actions classified by s3_resource_for into bucket or object ARNs (arn:aws:s3:::bucket[/key]); S3 ARNs intentionally omit account+region because bucket names are globally unique in AWS.
• New s3_detect_action() helper re-derives the IAM action name from method + bucket + key + query params, since S3 dispatches internally on method+path and doesn't set request.action. Handles:
  • object-level: GetObject, PutObject, DeleteObject, HeadObject, CopyObject
  • bucket-level: ListBuckets, CreateBucket, DeleteBucket, HeadBucket, GetBucketLocation, ListObjectsV2, ListObjects, ListObjectVersions, DeleteObjects
  • sub-resources: ?acl / ?tagging / ?versioning / ?policy / ?cors / ?website / ?lifecycle / ?encryption / ?logging / ?notification / ?replication / ?ownershipControls / ?publicAccessBlock / ?accelerate / ?inventory / ?object-lock
  • multipart: CreateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, ListParts, ListMultipartUploads

Test plan

5 new E2E tests in iam_enforcement.rs (on top of the 8 from PR #395), all signed with real aws-sdk-rust clients:

• SQS SendMessage denied without policy → AccessDeniedException
• SQS resource-scoped Allow on jobs queue lets through jobs messages but denies secrets messages (same action, different resource)
• SNS Publish denied without policy
• SNS Publish allowed on specific topic ARN via dynamically-composed inline policy
• S3 ReadDocs policy: GetObject on private-docs/readme.md allowed, PutObject on same bucket denied (different action)

Plus:

• cargo test -p fakecloud-e2e --test iam_enforcement — 13 tests all green (8 from feat(iam,sts): wire Phase 1 enforcement for IAM + STS services #395 + 5 new)
• cargo test -p fakecloud-e2e --test iam --test s3 --test sqs --test sns --test sigv4_verification — 183 tests total, zero regressions
• cargo clippy --workspace --all-targets -- -D warnings clean
• cargo fmt --check clean

---

Summary by cubic

Adds Phase 1 IAM enforcement for S3, SQS, and SNS, with precise action-to-resource mapping and new E2E coverage. Also fixes S3 sub-resource method guards and SNS ARN/resource detection for consistency.

• New Features

  • SQS: map all 20 actions to sqs:<Action>; queue ARN from QueueName (CreateQueue, GetQueueUrl) or last segment of QueueUrl; ListQueues → *; account id from principal.account_id.
  • SNS: map all 34 actions to sns:<Action>; resources from TopicArn/SubscriptionArn/PlatformApplicationArn/EndpointArn; CreateTopic builds ARN from service state account + Name; account-scoped actions → *.
  • S3: s3_detect_action() derives the IAM action from method + bucket + key + query; 74 actions mapped to bucket/object ARNs arn:aws:s3:::bucket[/key] (ListBuckets → *).
  • Tests: 5 new E2E tests cover SQS SendMessage deny and resource-scoped allow/deny, SNS Publish deny/allow, and S3 GetObject allowed vs PutObject denied.

• Bug Fixes

  • S3: require GET for ?attributes and POST for ?restore to avoid misclassifying IAM actions.
  • SNS: CreateTopic IAM resource uses the service state account id to match the created ARN; ConfirmSubscription is keyed by TopicArn instead of SubscriptionArn.

^{Written for commit 28bcfc6. Summary will update on new commits.}

[cubic-dev-ai]

4 issues found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="crates/fakecloud-s3/src/service/mod.rs">

<violation number="1" location="crates/fakecloud-s3/src/service/mod.rs:800">
P2: Missing method guard on `?attributes` sub-resource — any HTTP method with `?attributes` maps to `GetObjectAttributes`. Should match GET only, consistent with all other sub-resource handlers.</violation>

<violation number="2" location="crates/fakecloud-s3/src/service/mod.rs:803">
P2: Missing method guard on `?restore` sub-resource — any HTTP method (including GET) with `?restore` in the query string maps to `RestoreObject` instead of falling through to the correct plain-method dispatch. Since RestoreObject is a POST-only operation, this should only match POST. A GET with `?restore` present would be IAM-checked against `s3:RestoreObject` instead of `s3:GetObject`.</violation>
</file>

<file name="crates/fakecloud-sns/src/service.rs">

<violation number="1" location="crates/fakecloud-sns/src/service.rs:155">
P2: `CreateTopic` IAM resource account derivation is inconsistent with actual topic ARN creation (`state.account_id`), which can cause policy evaluation against the wrong ARN.</violation>

<violation number="2" location="crates/fakecloud-sns/src/service.rs:180">
P2: `ConfirmSubscription` is mapped to `SubscriptionArn`, but the request uses `TopicArn`; this makes IAM evaluate the wrong resource (`*` fallback in most calls).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}