False Positives with Deny Actions in IAM Policy

[marcsantamaria-sky]

There can be false positives in CFRipper when an IAM policy has specific Actions with Deny Effect.

The issue seems to be caused because in "policy_document.py" the Denys are not taken into account.

The function "allowed_actions_with" is not excluding actions that have a Deny Effect.

pycfmodel/pycfmodel/model/resources/properties/policy_document.py

Lines 54 to 68 in 6a8f3d1

	def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
	"""
	Finds all statements which have at least one action with the pattern.
	Arguments:
	pattern: Pattern to match.
	Returns:
	List of [statements][pycfmodel.model.resources.properties.statement.Statement].
	"""
	return [
	statement
	for statement in self._statement_as_list()
	if statement.actions_with(pattern) and self._is_statement_effect_allow(statement.Effect)
	]

[jsoucheiron]

It should be possible to improve this to remove actions when there are equivalent deny statements with the same target resource(s)