cloudtracker icon indicating copy to clipboard operation
cloudtracker copied to clipboard
verified publisher icon duo-labs

Add Support For "NotAction" IAM Policy Clause

Open bc-jcarlson opened this issue 5 years ago • 0 comments

It appears that cloudtracker doesn't enumerate the full list of granted permissions for both users and roles that utilize the "NotAction" clause.

Example IAM Policy:

        {
            "Sid": "AllowAllOperationsExceptIamAndCloudTrail",
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "cloudtrail:*"
            ]
        },

Cloudtracker output for this role shows only the permissions granted by other policies that use the "Action" clause, with a large number of services noting the "+" designation that were used via this policy.

This issue can lead to inaccurate results and missed permissions when using the tool.

bc-jcarlson avatar Oct 08 '20 20:10 bc-jcarlson