SkyScalpel: Obfuscate, de-obfuscate and detect obfuscated JSON based IAM policies

JSON-based IAM policies in cloud environments, particularly in AWS, dictate what resources users and systems can access and the actions they can perform. However, these policies can be susceptible to obfuscation—a technique where bad actors manipulate the policy’s syntax and semantics to hide their true intentions. This makes it difficult for security teams to detect and prevent unauthorized access effectively.

https://github.com/salesforce/policy_sentry

Policy Sentry's flagship feature is that it can create IAM policies based on resource ARNs and access levels. Our CRUD functionality takes the opinionated approach that IAC developers shouldn't have to understand the complexities of AWS IAM - we should abstract the complexity for them. In fact, developers should just be able to say...

• "I need Read/Write/List access to arn:aws:s3:::example-org-sbx-vmimport"
• "I need Permissions Management access to arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret"
• "I need Tagging access to arn:aws:ssm:us-east-1:123456789012:parameter/test"

...and our automation should create policies that correspond to those access levels.

How do we accomplish this? Well, Policy Sentry leverages the AWS documentation on Actions, Resources, and Condition Keys documentation to look up the actions, access levels, and resource types, and generates policies according to the ARNs and access levels.