Comment by lijok
2 years ago
How are you dealing with invalid policies generated by GPT? For example, in your loom video and the gif on the website, the resource for the s3:PutObject permission is incorrect: it should be "arn:aws:s3:::my_bucket_2/*" not "arn:aws:s3:::my_bucket_2".
Does this support resource policies? If so, how are you ensuring serious security vulnerabilities such as confused deputy are not introduced by this tool?
That's a very good example of the type of hallucinations that can happen, we still need to develop a way to double check that the generated policies are indeed valid and hopefully find a way to simulate them.
As is stands, Slauth doesn't support resource-based policies.
Good catch on the bucket vs object level permissions with S3 and s3:PutObject.
I'd also be curious for future plans with resource policies as that's another layer of complexity to manage - where the resource policy would manage access to potentially many applications -> 1 resource. Vs 1 application -> many resources which I think is the use case Slauth is solving for initially.
Confused Deputy would be interesting, could be done via Condition Keys such as SourceArn and SourceAccount, but gets complex for cross-account use cases.