SES actions don't support ConfigurationSet as a resource

[akefirad]

I'm using the package

• iam-floyd
• cdk-iam-floyd

I'm using the package in language

• TypeScript/JavaScript (npm)
• Python (pip)
• .Net (NuGet)
• Java (GitHub packages)

Describe the problem
Oddly enough, SES actions don't support ConfigurationSet as resource. For example, the following is not quite correct (it doesn't actually restrict the access):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ses:DescribeConfigurationSet",
            "Resource": "arn:aws:ses:eu-central-1:123456789012:configuration-set/some-configset",
            "Effect": "Allow"
        }
    ]
}

Reference: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html
Also in IAM console it shows a warning:

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.

[udondan]

SES actions don't support ConfigurationSet as resource

To me it appears this statement is accurate. When you look in the above linked reference in the actions table, in column 4 not a single action has the configuration-set listed as a resource. The only resource listed in that table is identity.

Also, in the AWS IAM console, when you create a policy, the visual editor will only allow you to add resources of type identity.

Still, the document describes far more resource types in the related table. What these are good for? No idea. Maybe they can be used by other services. Maybe the resource types have been defined but have not been implemented. Maybe they don't exist at all and the documentation simply is wrong. Only the SES team will be able to answer that.

What is your expectation from Floyd in this case?

[akefirad]

Right. As I said, I tested it and adding the configuration set ARN doesn't do anything.
Regarding Floyd, I'm not sure. In my case I saw onConfigurationSet method and used it without consulting the documentations. So maybe remove the method (until it's officially supported)?

[udondan]

So maybe remove the method (until it's officially supported)?

Unfortunately that's impossible. Unless they add a column into their table that says "This is really, really, really supported" I wouldn't know when it is officially supported. Even though I know it's not, I have to assume the documentation is correct. I can't possibly test every single action, condition and resource type AWS has to offer. :) I can filter stuff, but then wouldn't know when to remove the filter.

I sent feedback to the SES team to clarify what these resource types are good for. Let's see if something will come out of this. Again, maybe you also shoot them a message and maybe it will get fixed/clarified soon.

What I could image on the Floyd side: Add a warning to the method description, if a resource type is not listed for any action. I cannot use this as a filter, because in other cases the documentation for sure is just lacking the reference in the actions table, but the resource type is supported.

[akefirad]

I'm not sure if I understand you correctly. I thought (based on other conversation in the other issues), the reference is the documentation, and the documentation doesn't have any application for configuration set. My suggestion was to remove the method and write it back if/when there's an actual use for it. Adding a warning is also good. In any case, this is minor thing and I reported as more of an improvement. Feel free to close the issue.