Excluded Actions creating empty SIDs #352
Description
If you exclude all the actions of a SID, there is no logic to check and remove that SID.
Example file will generate a SID to ensure the iam:PassRole permission is included as a requirement for some s3 write permissions. However, excluding that actions is preferable.
{
"mode": "crud",
"name": "TempName",
"read": [
"arn:aws:s3:::test"
],
"write": [
"arn:aws:s3:::test"
],
"list": [
"arn:aws:s3:::test"
],
"tagging": [],
"permissions-management": [],
"exclude-actions": [
"iam:Pass*"
]
}
Generates
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadBucket",
"Effect": "Allow",
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetReplicationConfiguration"
],
"Resource": [
"arn:aws:s3:::test"
]
},
{
"Sid": "MultMultNone",
"Effect": "Allow",
"Action": [],
"Resource": [
"*"
]
},
{
"Sid": "S3WriteBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketOwnershipControls",
"s3:DeleteBucketWebsite",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutReplicationConfiguration"
],
"Resource": [
"arn:aws:s3:::test"
]
},
{
"Sid": "S3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::test"
]
}
]
}
The above policy fails on building an IAM policy.
This logic occurs in policy_sentry/writing/sid_group.py on lines 167-173. On line 176 there should be a logical check for the actions list being empty for this particular SID. If it is, it can be removed and the loop can be continued.