AWS provider tag actions not tracked

[chrodriguez]

Hi, first of all, I need to say this project is awesome! I've always wondered how to solve writing least privilege policies until I met iamlive. Thank's for writing this useful tool.

I've been working in many scenarios tracking policies within AWS, while running terraform. All actions are correctly tracked but when I've assumed a role with generated policy, I've always get errors when trying to tag objects. No matter which object is tagged, this actions seems to not been tracked. For example, creating a role using terraform using this resorce:

resource "aws_iam_role" "xxxxxx" {
  name  = "SomeRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {.... },
    ]
  })

  tags = {
    Name = "SomeRoleTag"
  }
}

when run using terraform, iam:TagRole action is not tracked.

Thanks in advance

[iann0036]

Hey @chrodriguez,

Thanks for raising!

This is certainly a dataset issue, specifically that the tagging permission is conditional on the presence of fields which needs some pretty detailed analysis that's not yet done. I've defined the structure for this but am yet to write up the full mappings.

It's coming, but fair warning it'll take some time. You'll unfortunately need to tweak your output policy manually in the interim.