Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> the AWS policy execution has a number of “operators” and “operands”

That is correct.

The IAM condition language is flexible and does not prevent you from doing strange things.



It’s a consequence of weak typing choices - not an inevitable result of allowing flexibility.

Doing glob matching on account IDs is like doing concatenation with guids, applying a bitshift to a UTF8 string, or running a regex on an integer. It is a nonsensical operation, and - as shown here - results in surprising security properties of the resulting system.

Surprising security properties are an undesirable result in an access control policy language.


They have ARN's which include the account which a glob match is useful. Something like "arn:aws:*:*:1234567890:*" is useful but "arn:aws:*:*:1234567*:*" isn't


Of course it's possible to create a more sophisticated system with less possibility for user error.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: