Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Handle `NotAction` in IAM policy
See original GitHub issueI’m seeing an unhandled exception in https://github.com/lyft/cartography/blob/master/cartography/intel/aws/iam.py#L278 if the IAM statement includes a NotAction and no Action.
I can provide more information if necessary but as far as I know there’s no difference in how an Action and NotAction should be parsed.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:8 (4 by maintainers)
Top Results From Across the Web
IAM JSON policy elements: NotAction - AWS Documentation
NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter ......
Read more >IAM JSON policy elements: NotAction - 亚马逊云科技
NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter...
Read more >IAM Policies with Effect Allow and NotAction - Trend Micro
"NotAction" is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction with "Effect" ...
Read more >iam-user-guide/reference_policies_elements_notaction.md at ...
NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter...
Read more >IAM Policies: Good, Bad & Ugly - Stackery
We'll see a better solution for scoping Lambda Function Logs permissions in a bit below. Allow and NotAction Are Not Friends. Sometimes folks ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for pointing this out! I’ll be pushing out a quick and ugly patch today to fix the crash.
However, modeling
NotActionsis going to be tricky and we’ll have to think on it.Currently we represent IAM permissions in the graph between groups and roles in the “positive form” like this:
(AWSGroup)-[:STS_ASSUMEROLE_ALLOW]->(AWSRole). That is, for consistency we only show in the graph what permissions an identity has, as opposed to showing what permissions an identity does-not-have.There could be ways to take the
NotActionand convert them to an equivalentActionslist, but that sounds unwieldy.This issue has been automatically closed for inactivity. If you still wish to make these changes, please open a new change or reopen this one.