Support condition keys for policies
Shocktrooper opened this issue · 3 comments
While policy_sentry does a great job for 90% of IAM policies that will be made it has one key functionality missing which is adding condition keys to policies. If we can add this functionality then policy_sentry can be used to create all ABAC policies in aws and not just most other IAM policies
One crucial example of where this functionality comes into action are kms keys. While KMS aliases support resource scoping based off of name prefixes KMS Keys themselves do not as the key id is fully unique per key and usually rely on either explicit permissions to single keys or tags via condition based policies.
References:
- https://docs.aws.amazon.com/kms/latest/developerguide/tags-about.html#:~:text=Control%20access%20to%20your,the%20IAM%20User%20Guide.
- https://docs.aws.amazon.com/kms/latest/developerguide/tag-authorization.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
@Shocktrooper - we considered this for a while (see #21), but it seemed to be quite a large level of effort to add to this tool. Policy Sentry does have the data for this in the IAM definition, but adding that to the DSL in an easy to understand and scalable manner seemed to be more than we were willing to take on.
I don't have the capacity for this, but if you (or anyone) wants to pick this up, I'm happy to consult/assist/advise.
I'll see if I can throw together a few design options for consideration sometime in the future 😊