[codex] Calibrate conditioned account-root trust reachability#76
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary: Implements the admin_reachability conditioned account-root trust clean-witness calibration from the design note. A trust edge is clean only when account-root trust is narrowed by aws:PrincipalArn to the exact source IAM role ARN or exact assumed-role pattern, with only supported PrincipalArn and ExternalId conditions and no wildcard principal or unresolved blocking trust condition. Keeps broad role wildcards, broad assumed-role wildcards, ExternalId-only trust, different-role PrincipalArn, unsupported conditions, wildcard principal, and cross-account unknown org membership conservative. Tests: adds focused admin_reachability regressions for exact role, exact assumed-role pattern, ExternalId-only, broad wildcards, different role, unsupported condition, wildcard principal, SCP blocker, and real-pilot-shaped sources. Replay: frozen real-pilot replay produced 18 findings, verdicts all validated; patterns 15 cross_account_trust and 3 admin_reachability; all 3 admin_reachability findings validated with clean-witness check PASS. Validation: affected tests 168 passed; scripts/check.sh passed; scripts/test_fast.sh 2069 passed; git diff --check passed; account and ARN hygiene scans clean; Terraform/raw artifact scan clean.