Updated Principal regex to be more precise

geolaw · Jul 14, 2021 · 426fb9f · 426fb9f
1 parent bd59b48
commit 426fb9f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/find_bad_policy_principals.py b/find_bad_policy_principals.py
@@ -56,7 +56,7 @@ def test_user(access_key,secret_key):
                 log_output("DEBUG: Policy {0:s}".format(json.dumps(mypolicy)))
 
             for st in mypolicy["Statement"]:
-                if not re.match('^arn:aws:iam:.*:.*:user\/.*$',st["Principal"]["AWS"]):
+                if not re.match('^arn:aws:iam:[^:]*:[^:]*:user\/[^:]*$',st["Principal"]["AWS"]):
                     log_output("Bad policy principal detected on bucket {0:s}: {1:s}".format(bucket.name,json.dumps(st)))
                     badpolicy+=1
                 else: