From 41a0e59c7320d80266e85da4b54e12e2cb6f0067 Mon Sep 17 00:00:00 2001 From: GitHubAction Date: Fri, 12 Jul 2024 22:29:08 +0000 Subject: [PATCH] Automated file generation --- annotated.json | 68 +++++++++++++++++++++++-------------------- annotated.yaml | 36 +++++++++++++++++++++++ policies/ALL.json | 4 +++ policies/PrivEsc.json | 4 +++ 4 files changed, 80 insertions(+), 32 deletions(-) diff --git a/annotated.json b/annotated.json index ff5bcab..a7a214a 100644 --- a/annotated.json +++ b/annotated.json @@ -1676,6 +1676,24 @@ "ResourceExposure" ] }, + "iam:DeleteRolePermissionsBoundary": { + "access_level": "Permissions management", + "description": "Grants permission to remove the permissions boundary from a role", + "service_name": "AWS Identity and Access Management (IAM)", + "risk_category": [ + "PrivEsc", + "ResourceExposure" + ] + }, + "iam:DeleteUserPermissionsBoundary": { + "access_level": "Permissions management", + "description": "Grants permission to remove the permissions boundary from the specified IAM user", + "service_name": "AWS Identity and Access Management (IAM)", + "risk_category": [ + "PrivEsc", + "ResourceExposure" + ] + }, "iam:EnableMFADevice": { "access_level": "Write", "description": "Grants permission to enable an MFA device and associate it with the specified IAM user", @@ -1703,6 +1721,15 @@ "ResourceExposure" ] }, + "iam:PutRolePermissionsBoundary": { + "access_level": "Permissions management", + "description": "Grants permission to set a managed policy as a permissions boundary for a role", + "service_name": "AWS Identity and Access Management (IAM)", + "risk_category": [ + "PrivEsc", + "ResourceExposure" + ] + }, "iam:PutRolePolicy": { "access_level": "Permissions management", "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM role", @@ -1712,6 +1739,15 @@ "ResourceExposure" ] }, + "iam:PutUserPermissionsBoundary": { + "access_level": "Permissions management", + "description": "Grants permission to set a managed policy as a permissions boundary for an IAM user", + "service_name": "AWS Identity and Access Management (IAM)", + "risk_category": [ + "PrivEsc", + "ResourceExposure" + ] + }, "iam:PutUserPolicy": { "access_level": "Permissions management", "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM user", @@ -2429,14 +2465,6 @@ "ResourceExposure" ] }, - "iam:DeleteRolePermissionsBoundary": { - "access_level": "Permissions management", - "description": "Grants permission to remove the permissions boundary from a role", - "service_name": "AWS Identity and Access Management (IAM)", - "risk_category": [ - "ResourceExposure" - ] - }, "iam:DeleteRolePolicy": { "access_level": "Permissions management", "description": "Grants permission to delete the specified inline policy from the specified role", @@ -2501,14 +2529,6 @@ "ResourceExposure" ] }, - "iam:DeleteUserPermissionsBoundary": { - "access_level": "Permissions management", - "description": "Grants permission to remove the permissions boundary from the specified IAM user", - "service_name": "AWS Identity and Access Management (IAM)", - "risk_category": [ - "ResourceExposure" - ] - }, "iam:DeleteUserPolicy": { "access_level": "Permissions management", "description": "Grants permission to delete the specified inline policy from an IAM user", @@ -2549,22 +2569,6 @@ "ResourceExposure" ] }, - "iam:PutRolePermissionsBoundary": { - "access_level": "Permissions management", - "description": "Grants permission to set a managed policy as a permissions boundary for a role", - "service_name": "AWS Identity and Access Management (IAM)", - "risk_category": [ - "ResourceExposure" - ] - }, - "iam:PutUserPermissionsBoundary": { - "access_level": "Permissions management", - "description": "Grants permission to set a managed policy as a permissions boundary for an IAM user", - "service_name": "AWS Identity and Access Management (IAM)", - "risk_category": [ - "ResourceExposure" - ] - }, "iam:RemoveClientIDFromOpenIDConnectProvider": { "access_level": "Write", "description": "Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource", diff --git a/annotated.yaml b/annotated.yaml index 8f2476a..a2e58e4 100644 --- a/annotated.yaml +++ b/annotated.yaml @@ -1511,6 +1511,22 @@ PrivEsc: - ResourceExposure service_name: AWS Identity and Access Management (IAM) + - iam:DeleteRolePermissionsBoundary: + access_level: Permissions management + description: Grants permission to remove the permissions boundary from a role + risk_category: + - PrivEsc + - ResourceExposure + service_name: AWS Identity and Access Management (IAM) + + - iam:DeleteUserPermissionsBoundary: + access_level: Permissions management + description: Grants permission to remove the permissions boundary from the specified IAM user + risk_category: + - PrivEsc + - ResourceExposure + service_name: AWS Identity and Access Management (IAM) + - iam:EnableMFADevice: access_level: Write description: Grants permission to enable an MFA device and associate it with the specified IAM user @@ -1535,6 +1551,14 @@ PrivEsc: - ResourceExposure service_name: AWS Identity and Access Management (IAM) + - iam:PutRolePermissionsBoundary: + access_level: Permissions management + description: Grants permission to set a managed policy as a permissions boundary for a role + risk_category: + - PrivEsc + - ResourceExposure + service_name: AWS Identity and Access Management (IAM) + - iam:PutRolePolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM role @@ -1543,6 +1567,14 @@ PrivEsc: - ResourceExposure service_name: AWS Identity and Access Management (IAM) + - iam:PutUserPermissionsBoundary: + access_level: Permissions management + description: Grants permission to set a managed policy as a permissions boundary for an IAM user + risk_category: + - PrivEsc + - ResourceExposure + service_name: AWS Identity and Access Management (IAM) + - iam:PutUserPolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM user @@ -2276,6 +2308,7 @@ ResourceExposure: access_level: Permissions management description: Grants permission to remove the permissions boundary from a role risk_category: + - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) @@ -2339,6 +2372,7 @@ ResourceExposure: access_level: Permissions management description: Grants permission to remove the permissions boundary from the specified IAM user risk_category: + - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) @@ -2405,6 +2439,7 @@ ResourceExposure: access_level: Permissions management description: Grants permission to set a managed policy as a permissions boundary for a role risk_category: + - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) @@ -2420,6 +2455,7 @@ ResourceExposure: access_level: Permissions management description: Grants permission to set a managed policy as a permissions boundary for an IAM user risk_category: + - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) diff --git a/policies/ALL.json b/policies/ALL.json index feb15f4..c36f68d 100644 --- a/policies/ALL.json +++ b/policies/ALL.json @@ -18,10 +18,14 @@ "iam:CreatePolicyVersion", "iam:CreateServiceLinkedRole", "iam:CreateVirtualMFADevice", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteUserPermissionsBoundary", "iam:EnableMFADevice", "iam:PassRole", "iam:PutGroupPolicy", + "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", + "iam:PutUserPermissionsBoundary", "iam:PutUserPolicy", "iam:ResyncMFADevice", "iam:SetDefaultPolicyVersion", diff --git a/policies/PrivEsc.json b/policies/PrivEsc.json index 606e0b9..88e813f 100644 --- a/policies/PrivEsc.json +++ b/policies/PrivEsc.json @@ -18,10 +18,14 @@ "iam:CreatePolicyVersion", "iam:CreateServiceLinkedRole", "iam:CreateVirtualMFADevice", + "iam:DeleteRolePermissionsBoundary", + "iam:DeleteUserPermissionsBoundary", "iam:EnableMFADevice", "iam:PassRole", "iam:PutGroupPolicy", + "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", + "iam:PutUserPermissionsBoundary", "iam:PutUserPolicy", "iam:ResyncMFADevice", "iam:SetDefaultPolicyVersion",