iam-user and aim-role compliance checks

[fwesselhoft]

Thank you for sharing those policies, very helpful. I have been playing with the check-permissions filter within the iam-user resource, trying to list a map the following: iam account --> ALlowed Actions --> Resources, but I'm stuck, and wondering if you could point me to the correct direction.

The current policy, when run, outputs a resource.yml file that contains the IAM accounts that are allowed to perform a s3:DeleteBucket action against all resources (*), but misses to list accounts that have the s3:DeleteBucket action allowed against specific resources only.

policies:

• name: iam-user-activekey-deleteBucket
  resource: iam-user
  filters:
  - type: check-permissions
  match: allowed
  actions:
  - s3:DeleteBucket

Am I missing something or the functionality is not there yet? Thank you very much for the help, and I apologize before hand if I posted this in the wrong place, I'm very new to github.

[xsplaxy]

@fwesselhoft at first glance, this seems like a bug to me. Even if a specific resource is selected, the IAM User still has the "s3:DeleteBucket" action which should match despite the resource being "arn::12345" instead of "*"

I saw you posted directly on the C7N Github which is a great place to start.
cloud-custodian/cloud-custodian#3383

We don't have local IAM users but I can try and replicate in my personal environment and post results when I have a chance.

[fwesselhoft]

Thank you very much @byronenos2 !! I also thought this was either some kind of glitch/bug, or the functionality is just not all in there as I would have expected to see the iam-users that had the "s3:DeleteBucket" action allowed for specific bucket ARNs and not just for * all.

That would be great if you can try to replicate this, thank you SO VERY much. I will also keep on playing with this and will reply to this thread if I find a better way to get this working. Have a great day and thank you again!