Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam: PolicyStatement NotAction method #964

Closed
Stephen-Meyerhofer opened this issue Oct 18, 2018 · 3 comments
Closed

iam: PolicyStatement NotAction method #964

Stephen-Meyerhofer opened this issue Oct 18, 2018 · 3 comments
Assignees
@rix0rrr
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved.

Comments

@Stephen-Meyerhofer
Copy link

There is an AddAction method on a PolicyStatement object, but no AddNotAction method.
@Stephen-Meyerhofer Stephen-Meyerhofer changed the title Support PolicyStatement NotAction method iam: PolicyStatement NotAction method Oct 18, 2018
@rix0rrr rix0rrr added the feature-request A feature should be added or improved. label Nov 6, 2018
@debora-ito debora-ito added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Nov 7, 2018
@alex-berger
Copy link
Contributor

Actually, all the Not* pendants are currently missing, including:

  • NotAction
  • NotResource
  • NotPrincipal
    Would be great if CDK could support all the IAM policy statement features.

@kevinslin
Copy link

+1

@Sparkboxx
Copy link

I found a workaround (if not to say Hack). By overwriting the .toStatementJson function on a PolicyStatement you can effectively shortcut the rendering. I tested it for the NotAction case, but I would expect it to work for the NotResource and NotPrincipal cases as well.

var statements: PolicyStatement[] = []

const sDenyAllExceptListedIfNoMFA = new PolicyStatement() 
sDenyAllExceptListedIfNoMFA.toStatementJson = function() {
  return {
  "Sid": "DenyAllExceptListedIfNoMFA",
  "Effect": "Deny",
  "NotAction": [
    "iam:CreateVirtualMFADevice",
    "iam:EnableMFADevice",
    "iam:GetUser",
    "iam:ListMFADevices",
    "iam:ListVirtualMFADevices",
    "iam:ResyncMFADevice",
    "sts:GetSessionToken"
  ],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {
        "aws:MultiFactorAuthPresent": "false"
    }
  }
  }
}
statements.push(sDenyAllExceptListedIfNoMFA);

new iam.Policy(this, 'ForceMFAPolicy', {
  policyName: "Force_MFA",
  statements: statements,
})

Produces the right CloudFormation YAML on cdk synth

- Sid: DenyAllExceptListedIfNoMFA
  Effect: Deny
  NotAction:
    - iam:CreateVirtualMFADevice
    - iam:EnableMFADevice
    - iam:GetUser
    - iam:ListMFADevices
    - iam:ListVirtualMFADevices
    - iam:ResyncMFADevice
    - sts:GetSessionToken
  Resource: "*"
  Condition:
    BoolIfExists:
      aws:MultiFactorAuthPresent: "false"

@joelhegg joelhegg mentioned this issue Jun 28, 2019
Closed
1 task
statik added a commit to kindlyops/aws-cdk that referenced this issue Aug 15, 2019
@statik
fix(iam): support NotActions/NotResources (aws#964)
f308485 
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
mergify bot pushed a commit that referenced this issue Aug 16, 2019
@statik @mergify
fix(iam): support NotActions/NotResources (#964) (#3677)
a8ee987 
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
@rix0rrr rix0rrr closed this as completed Aug 30, 2019
@rmorris1218 rmorris1218 mentioned this issue Sep 13, 2019
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Sparkboxx @kevinslin @debora-ito @rix0rrr @alex-berger @Stephen-Meyerhofer