Skip to content

IAM policy optimizer is too eager may cause a security issue #957

New issue
New issue
Closed
#958
Closed
IAM policy optimizer is too eager may cause a security issue#957
#958
Labels
bugThis issue is a bug.
@eladb

Description

@eladb
eladb
opened on Oct 18, 2018

The IAM policy optimization code (#916) has an issue that may cause unwanted extension of permissions.

Repro:

const doc = new iam.PolicyDocument();
doc.addStatement(new iam.PolicyStatement()
  .addResource('bucket1')
  .addActions('s3:read-only'));

doc.addStatement(new iam.PolicyStatement()
  .addResource('bucket2')
  .addActions('s3:*'));

Output:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "bucket1",
        "bucket2"
      ]
    }
  ]
}

Expected (obvsiouly, we didn't want full access to "bucket1"):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:read-only",
      "Resource": "bucket1"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "bucket2"
    }
  ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue is a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions