AWS IAM ABAC support

[dmeiser]

I am trying to set up a comprehensive solution around ABAC for our development teams. One big thing is ensuring that we identify IAM policies that allow too many permissions. However, those ABAC permissions typically look like "Allow reading S3 buckets and objects where the bucket has a tag like MyTag = MyValue." Actual example from AWS:

     {
         "Sid": "ReadSecretsManagerSameTeam",
         "Effect": "Allow",
         "Action": [
             "secretsmanager:Describe*",
             "secretsmanager:Get*",
             "secretsmanager:List*"
         ],
         "Resource": "*",
         "Condition": {
             "StringEquals": {
                 "aws:ResourceTag/access-team": "${aws:PrincipalTag/access-team}"
             }
         }
     }

Does KICS audit for condition strings? Does anybody have any suggestions for effectively auditing these?