Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Validate IAM Actions
See original GitHub issuecfn-lint version: 0.21.4
Description of issue. At present cfn-lint does not appear to validate the contents of the Action list in IAM policies, while it would probably not be possible to validate them in all cases (eg when Fn::Sub etc is used), it seems like it would be possible to verify that the entry is in fact valid for static entries.
Validating this could help to catch errors where the IAM policy will not actually perform as intended by the the author, for example I just encountered a scenario where an IAM policy Action listed ‘dyanmodb:PutItem’ rather than ‘dynamodb:PutItem’
This sort of error does not prevent the stack from being created/updated, but can prevent the resources it deploys from functioning as intended.
(Simplified) Incorrect fragment example from an AWS::IAM::Role/Policies/PolicyDocument
- Sid: SamlSpTableDataAccess
Effect: Allow
Action:
- dyanmodb:PutItem
^^
Resource: '*'
Which should instead be
- Sid: SamlSpTableDataAccess
Effect: Allow
Action:
- dynamodb:PutItem
^^
Resource: '*'
Issue Analytics
- State:
- Created 4 years ago
- Reactions:7
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The IAM linter I work on is finally out https://duo.com/blog/an-aws-iam-policy-linter-parliament
Just want to give a head’s up that I’ve been working on my own IAM linter that will be open-sourced (BSD-3) in the coming weeks that you’ll be able to use for this. It is being released as a library for use with other tools (specifically for my other tool CloudMapper). I think mine is a little more thorough. For example, I scrape the web docs in order to identify the relevant resources at a per-action level, whereas it looks like your dataset will only get fine-grained to the per-service level.
I’ve reported in a lot of issues found by mine to AWS security who is fixing the docs and some other things. Some of these are issues similar to what you’re experiencing with the false positives noted above about valid privileges being reported as invalid. My understanding is AWS is working to improve the docs to account for these. I’ll comment here once the project is released.