cc @k-bailey
We have seen wildcards in account ID ARN field result in false positives for a resource being internet accessible when the resource is restricted to an AWS Org. In this case the roles contain wildcards but the resource itself is restricted to only roles belonging to the ORG
Example policy that shows as Internet Accessible when processed by Policy Universe :
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": [
"o-12345",
"o-67890"
]
},
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/ARole-*",
"arn:aws:iam::*:role/BRole-*",
"arn:aws:iam::*:role/CRole-*",
"arn:aws:iam::*:role/DRole",
"arn:aws:iam::*:role/ERole"
]
}
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
}
]
}
cc @k-bailey
We have seen wildcards in account ID ARN field result in false positives for a resource being internet accessible when the resource is restricted to an AWS Org. In this case the roles contain wildcards but the resource itself is restricted to only roles belonging to the ORG
Example policy that shows as Internet Accessible when processed by Policy Universe :
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "o-12345", "o-67890" ] }, "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/ARole-*", "arn:aws:iam::*:role/BRole-*", "arn:aws:iam::*:role/CRole-*", "arn:aws:iam::*:role/DRole", "arn:aws:iam::*:role/ERole" ] } }, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Effect": "Allow", "Principal": "*" } ] }