forked from iann0036/iam-dataset
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathresearch_notes.txt
223 lines (145 loc) · 9.03 KB
/
research_notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
S3.Put* permission / method naming [-]
EC2 RunInstances is handled differently depending upon the contextual condition
${Account} / ${AccountId} [-]
${region} [-]
Old/New update methods
Lambda partial ARN
S3 get object / get object version
url encoding
Multi-property permissions
EC2 Classic / Security Group names v. IDs
IAM passrole dependants missing
S3 GetObject dependants missing
dependants (RDS.DeleteInstance, Redshift.DeleteCluster, SSM.SendCommand, WAF.CreateWebACLMigrationStack, quicksight:UpdateAnalysis (source dataset), )
redshift:DeleteSnapshotSchedule (snapshotschedule* wrong identifier) [-]
OpsWorks, Medialive resource ARN weirdness [-]
Resources without any resource mappings
Restype: rekognition:project*
ARN style: arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/${CreationTimestamp} [-]
Restype: ssm.automation-definition*
ARN style: arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName:VersionId} [-]
Restype: codestar.user*
ARN style: arn:${Partition}:iam::${Account}:user/${aws:username} [-]
Restype: mq.brokers*
ARN style: arn:${Partition}:mq:${Region}:${Account}:broker:${broker-id} [-]
Restype: kinesisvideo.stream*
ARN style: arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime} [-]
Restype: sagemaker.artifact*
ARN style: arn:${Partition}:sagemaker:${Region}:${Account}:artifact/${HashOfArtifactSource} [-]
Restype: cloud9.environment*
ARN style: arn:${Partition}:cloud9:${Region}:${Account}:environment:${ResourceId} [-]
Restype: chime.meeting*
ARN style: arn:${Partition}:chime::${AccountId}:meeting/${MeetingId} why incorrect?
Route53Resolver.DisassociateResolverQueryLogConfig (ResourceId Param NOT used)
quicksight:CreateDataSet [-]
RoboMaker.CreateWorld ARN (CreatedTime) [-]
Restype: transfer.server*
ARN style: arn:${Partition}:transfer:${region}:${account}:server/${serverId} [-]
Restype: dedicated-ip-pool*
ARN style: arn:${Partition}:ses:${Region}:${Account}:dedicated-ip-pool/${CustomVerificationEmailTemplateName} [-]
^ & test report [-]
LEX slottype version resource type [-]
batch.deregisterJobDefinition bad example value
DeviceFarm.ListJobs maybe? probably not
ListTagsForResource (and etc.) have all different casing (resourceARN, resourceArn, ResourceArn, ResourceARN, Resource, ResourceId, Arn, resourceShareArn?)
EC2.CreateTags/DeleteTags & ElastiCache.AddTagsToResource is difficult
ECS methods varies with ARN vs. name for property values
Action: machinelearning:GetEvaluation
Restype: datasource*
ARN style: arn:${Partition}:machinelearning:${Region}:${Account}:datasource/${DatasourceId} [-]
Pinpoint.PhoneNumberValidate possible excessive required resource
S3.GetBucketNotification deprecated
Action: ssm:GetCalendarState
Restype: document*
ARN style: arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
StorageGateway.DescribeTapes could be missing tapes resource (and other SG Describes)
KinesisVideo.UntagStream / KinesisVideo.UntagResource
https://docs.aws.amazon.com/a4b/latest/APIReference/API_CreateUser.html (UserId)
AlexaForBusiness.DisassociateSkillFromUsers (resource user?)
Action: chime:CreateChannel
Restype: app-instance-user*
ARN style: arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}/user/${AppInstanceUserId} [-]
RoboMaker inconsistent usage of ID / ARN in props
Restype: rule
ARN style: arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName} [-]
https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c [-]
Action: ds:DeleteTrust
Restype: directory*
ARN style: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
WAFRegional.Delete* mappings
ConfigService.PutConfigurationRecorder different casing to ConfigService.PutConfigurationAggregator
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet.html Wrong example
ARN updaters:
codedeploy:UpdateDeploymentGroup = both
opsworks:CloneStack = both
rds:ModifyDBCluster = both
rds:ModifyDBInstance = both
codecommit:UpdateRepositoryName = both
codedeploy:UpdateApplication = both
Action: forecast:CreatePredictor
Restype: datasetGroup*
ARN style: arn:${Partition}:forecast:${Region}:${Account}:dataset-group/${ResourceId} [-]
Restype: handshake*
ARN style: arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId} [-]
Restype: securitygroupingress-ec2securitygroup*
ARN style: arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId} [-]
Restype: snapshotschedule*
ARN style: arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName} [-]
Restype: backup*
ARN style: arn:${Partition}:cloudhsm:${Region}:${Account}:backup/${CloudHsmBackupInstanceName}
"StreamProcessorArn": "arn:aws:rekognition:us-west-2:123456789012:streamprocessor/my-stream-processpr",
Action: mgh:AssociateCreatedArtifact
Restype: migrationTask*
ARN style: arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}/migrationTask/${Task}
Restype: Workflow*
ARN style: arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}
WAFv2 CheckCapacity
"User: arn:aws:iam::123456789012:user/ian is not authorized to perform: lex:DescribeIntent on resource: arn:aws:lex:us-east-1:123456789012:bot/botId12345 with an explicit deny"
"User: arn:aws:iam::123456789012:user/ian is not authorized to perform: null" lexv2models botaliases
Arn: "arn:aws:opsworks:ap-southeast-2:123456789012:stack/71c82c0b-0cfb-47a7-89b9-4489145c063c/" <-- OpsWorks, actually true
SNS.CreateTopic needs iam:PassRole?
TODO: Ensure double %%many doesn't cause matrix confusion
Double+ dependant: [-]
codestar-connections:UpdateConnectionInstallation,codestar-connections:ListInstallationTargets,codestar-connections:GetIndividualAccessToken,codestar-connections:StartOAuthHandshake
codestar-connections:UpdateConnectionInstallation,codestar-connections:ListInstallationTargets,codestar-connections:GetIndividualAccessToken
codestar-connections:UpdateConnectionInstallation,codestar-connections:ListInstallationTargets,codestar-connections:StartOAuthHandshake
compute-optimizer:ExportAutoScalingGroupRecommendations,compute-optimizer:GetAutoScalingGroupRecommendations,autoscaling:DescribeAutoScalingGroups
compute-optimizer:ExportEC2InstanceRecommendations,compute-optimizer:GetEC2InstanceRecommendations,ec2:DescribeInstances
connect:GetFederationTokens,connect:DescribeInstance,ds:DescribeDirectories
connect:GetFederationTokens,connect:ListInstances,ds:DescribeDirectories
chime:ConnectDirectory,ds:ConnectDirectory,ec2:AuthorizeSecurityGroupEgress [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:AuthorizeSecurityGroupIngress [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:CreateNetworkInterface [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:CreateSecurityGroup [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:CreateTags [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:DescribeNetworkInterfaces [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:DescribeSubnets [x]
chime:ConnectDirectory,ds:ConnectDirectory,ec2:DescribeVpcs [x]
connect:CreateInstance,ds:CreateDirectory,ec2:AuthorizeSecurityGroupEgress [x]
connect:CreateInstance,ds:CreateDirectory,ec2:AuthorizeSecurityGroupIngress [x]
connect:CreateInstance,ds:CreateDirectory,ec2:CreateNetworkInterface [x]
connect:CreateInstance,ds:CreateDirectory,ec2:CreateSecurityGroup [x]
connect:CreateInstance,ds:CreateDirectory,ec2:CreateTags [x]
connect:CreateInstance,ds:CreateDirectory,ec2:DescribeNetworkInterfaces [x]
connect:CreateInstance,ds:CreateDirectory,ec2:DescribeSubnets [x]
connect:CreateInstance,ds:CreateDirectory,ec2:DescribeVpcs [x]
connect:CreateInstance,ds:DeleteDirectory,ec2:DeleteNetworkInterface [x]
connect:CreateInstance,ds:DeleteDirectory,ec2:DeleteSecurityGroup [x]
connect:CreateInstance,ds:DeleteDirectory,ec2:DescribeNetworkInterfaces [x]
connect:CreateInstance,ds:DeleteDirectory,ec2:RevokeSecurityGroupEgress [x]
connect:CreateInstance,ds:DeleteDirectory,ec2:RevokeSecurityGroupIngress [x]
mq:CreateBroker,ec2:CreateVpcEndpoint,route53:AssociateVPCWithHostedZone
mq:CreateBroker,ec2:CreateVpcEndpoint,route53:AssociateVPCWithHostedZone,ec2:DescribeVpcs
devops-guru:AddNotificationChannel,sns:SetTopicAttributes,iam:PassRole [x]
monitron:AssociateProjectAdminUser,sso:ListProfiles,sso:GetProfile
access analyzer changed ARN casing March 2021
RDS DataAPI has resource type defined and unused (cluster)
"arn:${Partition}:synthetics::${Account}:canary:${CanaryName}" to "arn:${Partition}:synthetics:${Region}:${Account}:canary:${CanaryName}"
Restype: recoveryPoint*
ARN style: arn:${Partition}:${Vendor}:${Region}:*:${ResourceType}:${RecoveryPointId}
phone-number-validate
mgh:StartTest
lookoutequipment ${AccountId}
ARN style: arn:${Partition}:ssm-contacts:${Region}:${Account}:page/${ContactAlias}/${pageId}
cloudfront:ListFunction(s)
An error occurred (AccessDeniedException) when calling the DeleteResourcePolicyStatement operation: User: arn:aws:iam::123456789012:user/nothing is not authorized to perform: null