fix(iam): getDeniedActions returns false deny with organization SCP (#3106)

deuscapturus · web-flow · commit beb42c354a29 · 2023-01-19T14:03:32.000-08:00
## Problem
Some Organization SCP policies cannot be property evaluated by SimulatePrincipalPolicy and result in false negative results. It is best to ignore actions denied from Organization during SimulatePrincipalPolicy.

It is a known problem that some organization SCP policies cannot be simulated correctly by SimulatePrincipalPolicy. This results in permission errors when no permission errors exist.

[ERROR]: aws.ecs.openTaskInTerminal: Error: Insufficient permissions to execute command. Configure a task role as described in the documentation. [MissingPermissions] (deniedActions: ssmmessages:CreateControlChannel,ssmmessages:CreateDataChannel,ssmmessages:OpenControlChannel,ssmmessages:OpenDataChannel)

## Solution
Ignore denial from Organizations.
diff --git a/.changes/next-release/Bug Fix-3e26f9c4-6479-4c79-8849-400914f3da90.json b/.changes/next-release/Bug Fix-3e26f9c4-6479-4c79-8849-400914f3da90.json
@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "iamClient ignore permission check when denial comes from organization csp policy"
+}
diff --git a/src/shared/clients/iamClient.ts b/src/shared/clients/iamClient.ts
@@ -58,7 +58,10 @@ export class DefaultIamClient {
             throw new Error('No evaluation results found')
         }
 
-        return permissionResponse.EvaluationResults.filter(r => r.EvalDecision !== 'allowed')
+        // Ignore deny from Organization SCP.  These can result in false negatives.
+        // See https://github.com/aws/aws-sdk/issues/102
+        return permissionResponse.EvaluationResults.filter(r => r.EvalDecision !== 'allowed' && r.OrganizationsDecisionDetail?.AllowedByOrganizations !== false)
+
     }
 
     private async createSdkClient(): Promise<IAM> {
diff --git a/src/test/shared/clients/iamClient.test.ts b/src/test/shared/clients/iamClient.test.ts
@@ -21,6 +21,13 @@ describe('iamClient', function () {
         const incorrectPermissionsResponse = {
             EvaluationResults: [{ EvalActionName: 'example:permission', EvalDecision: 'denied' }],
         }
+        const organizationsDenyPermissionsResponse = {
+            EvaluationResults: [{
+                EvalActionName: 'example:permission',
+                EvalDecision: 'implicitDeny',
+                OrganizationsDecisionDetail: { "AllowedByOrganizations": false },
+            }],
+        }
 
         afterEach(function () {
             sinon.restore()
@@ -38,5 +45,10 @@ describe('iamClient', function () {
             sinon.stub(iamClient, 'simulatePrincipalPolicy').resolves(correctPermissionsResponse)
             assert.deepStrictEqual(await iamClient.getDeniedActions(request), [])
         })
+
+        it('does not return possibly false organizational implicitDeny', async function () {
+            sinon.stub(iamClient, 'simulatePrincipalPolicy').resolves(organizationsDenyPermissionsResponse)
+            assert.deepStrictEqual(await iamClient.getDeniedActions(request), [])
+        })
     })
 })

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +	"type": "Bug Fix",
 +	"description": "iamClient ignore permission check when denial comes from organization csp policy"
 +}
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,10 @@ export class DefaultIamClient {`
`58`	`58`	`throw new Error('No evaluation results found')`
`59`	`59`	`}`
`60`	`60`
`61`		`- return permissionResponse.EvaluationResults.filter(r => r.EvalDecision !== 'allowed')`
	`61`	`+ // Ignore deny from Organization SCP. These can result in false negatives.`
	`62`	`+ // See https://github.com/aws/aws-sdk/issues/102`
	`63`	`+ return permissionResponse.EvaluationResults.filter(r => r.EvalDecision !== 'allowed' && r.OrganizationsDecisionDetail?.AllowedByOrganizations !== false)`
	`64`	`+`
`62`	`65`	`}`
`63`	`66`
`64`	`67`	`private async createSdkClient(): Promise<IAM> {`