You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The cross account authorization checks do not evaluate resource policies https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks
I have an IAM User in Account A with the AWS managed AdministratorAccess policy attached. In Account B, I have an S3 bucket with no resource policy defined. The effective permissions is that my IAM User does not have any permissions on the S3 bucket since AWS requires an explicit Allow in the resource policy in order to grant cross-account permissions. However, PMapper is reporting that:
user/InAccountA IS authorized to call action s3:GetObject for resource arn:aws:s3:::eu-west-2-in-account-b
To Reproduce
edges = get_edges_between_graphs(root_graph, prod_graph)
for node in root_graph.nodes:
result = search_authorization_across_accounts([(root_graph, []), (prod_graph, [])], edges, node, ACTION, RESOURCE, {})
if result.allowed == True:
result.print_result(ACTION, RESOURCE)
Expected behavior
PMapper to evaluate the resource policy (including the AWS inferred rules) for cross-account access and correctly report wether the user has permission to perform the specified action on the specified resource.
The text was updated successfully, but these errors were encountered:
Looking at that code, I think I've spotted the root cause. When invoking search_authorization_across_accounts, there are parameters named resource_policy and resource_owner. You'll need to specify these parameters to get accurate behavior. If your S3 bucket does not specify a bucket policy, you'll need to include a "stub" policy like so:
Describe the bug
The cross account authorization checks do not evaluate resource policies
https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks
I have an IAM User in Account A with the AWS managed AdministratorAccess policy attached. In Account B, I have an S3 bucket with no resource policy defined. The effective permissions is that my IAM User does not have any permissions on the S3 bucket since AWS requires an explicit Allow in the resource policy in order to grant cross-account permissions. However, PMapper is reporting that:
user/InAccountA IS authorized to call action s3:GetObject for resource arn:aws:s3:::eu-west-2-in-account-b
To Reproduce
edges = get_edges_between_graphs(root_graph, prod_graph)
for node in root_graph.nodes:
result = search_authorization_across_accounts([(root_graph, []), (prod_graph, [])], edges, node, ACTION, RESOURCE, {})
if result.allowed == True:
result.print_result(ACTION, RESOURCE)
Expected behavior
PMapper to evaluate the resource policy (including the AWS inferred rules) for cross-account access and correctly report wether the user has permission to perform the specified action on the specified resource.
The text was updated successfully, but these errors were encountered: