Missing NotAction in Community Auditor - advanced_policy_elements.py

[ossie-git]

Hi,

While looking at the source code for some of the auditors, I noticed that advanced_policy_elements.py mentions:

AWS documentation discourages the use of NotPrincipal, NotAction and
NotResource, particularly with Allow. These constructs, by default, grant
permissions, then Deny the ones explicitly listed. Instead, use an explicit
Resource, Action or Principal in your Allow list.

I expected to therefore see rules to detect all 3. However, I found 2 rules only:

• one for NotPrincipal
• one for NotResource

and couldn't find anything related to NotAction. This was confirmed when looking at the configuration of these included in config_override.yaml which only contains sections for NotPrincipal and NotResource:

NOTPRINCIPAL_WITH_ALLOW:
  title: NotPrincipal used with Allow effect
  description: NotPrincipal with Allow automatically grants the permission to all principals, except the ones specified.
  severity: MEDIUM
  group: CUSTOM

NOTRESOURCE_WITH_ALLOW:
  title: NotResource used with Allow effect
  description: NotResource with Allow automatically grants the Principal all services and resources that are not explicitly listed
  severity: MEDIUM
  group: CUSTOM

Is there a specific reason that there is no rule for NotAction? Am I missing something? Thanks.

[raghavkaul]

I think NotAction would be a useful check since it implicitly grants permissions to all actions not listed in the NotAction statement. I just didn't get around to implementing it :)