Feature request: flag permission policies that deny access to API actions
rdegraaf opened this issue · comments
Is your feature request related to a problem? Please describe.
Is your feature request related to a problem? Please describe.
The presence of Deny statements in permission policies is not necessarily a problem: they have totally valid uses. However, attempting to control access to API actions in AWS using a wildcard allow and a deny-list is very difficult and subject to problems since there is frequently more than way to accomplish something, new API actions get added all the time, and permission policy authors frequently fail to consider all available API actions. s3:GetObject
is denied? Try s3:GetObjectVersion
instead. Both of those are blocked? That might have been adequate until AWS added s3:GetObjectTorrent
. kms:ScheduleKeyDeletion
is denied? You can still use kms:PutKeyPolicy
to make the key unusable by everyone. Etc. And these aren't hypotheticals: I've seen them while reviewing accounts.
Describe the solution you'd like
ScoutSuite should flag permission policies containing Deny statements for specific API actions so that a reviewer can verify that they are appropriate given the account's access control regime and requirements, and that they do not have trivial bypasses.