Skip to content

[codex] Add PassRole Lambda live binding checkpoint #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
InfoSecHack merged 1 commit into from
Jun 3, 2026
Merged

[codex] Add PassRole Lambda live binding checkpoint #15

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions docs/specs/controlled-passrole-lambda-live-binding-001-checkpoint.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# Controlled PassRole-to-Lambda Live Binding #1 Checkpoint

## Purpose

Record the sanitized comparison between one selected local IAMScope PassRole-to-Lambda finding and one observed controlled live AWS result.

This is a docs/checkpoint slice only. It does not run live AWS, run Terraform, call AWS CLI, call STS, call Lambda APIs, call `iam:PassRole`, change the live runner, change reasoner logic, change benchmark semantics, commit raw `/tmp` live output, commit raw AWS account ids, or commit raw role ARNs.

## Source Evidence

Sanitized live AWS result checkpoint:

- `docs/specs/controlled-passrole-lambda-live-result-001-checkpoint.md`

Binding gap checkpoint that this checkpoint closes narrowly:

- `docs/specs/controlled-passrole-lambda-live-binding-gap-001-checkpoint.md`

Selected local IAMScope finding fixture:

- `tests/fixtures/live_binding/passrole_lambda_selected_finding/scenario.json`
- `tests/fixtures/live_binding/passrole_lambda_selected_finding/expected_finding.json`
- `tests/fixtures/live_binding/passrole_lambda_selected_finding/README.md`

The selected local fixture uses synthetic account `000000000000`. The live account id is redacted. The live role ARN is redacted. The raw live result JSON is not committed.

## Selected Local IAMScope Finding

- `finding_id`: `dc284c673334e54974e229c9ac006684b3e928d0d03936f857fe93068dc74dc8`
- `pattern_id`: `passrole_lambda`
- `expected_verdict`: `validated`
- `severity`: `high`
- Classification: `selected_local_createfunction_passrole_finding`
- Source principal: synthetic/redacted fixture principal under account `000000000000`
- Target role: synthetic/redacted fixture role under account `000000000000`
- Generation method: local existing `PassRoleLambdaReasoner`

The selected local path represents service-mediated Lambda `CreateFunction` plus `iam:PassRole` plus Lambda trust only. It does not include an admin-equivalent execution-role edge.

## Observed Live AWS Result

The sanitized live result was:

```json
{
"attempted_action": "lambda:CreateFunction",
"observed_aws_result": "create_function_succeeded",
"function_created": true,
"cleanup_status": "deleted_not_found_verified",
"lambda_invoke_function_called": false,
"live_aws_used": true
}
```

Additional observed boundaries:

- The function was not invoked.
- No triggers, function URLs, event source mappings, aliases, versions, or downstream actions were created or tested.
- Cleanup was verified.
- Terraform resources were destroyed.
- Account id redacted.
- Role ARN redacted.
- Raw live result JSON not committed.

Live AWS was used only in the previously documented controlled run. This PR does not run live AWS.

## Comparison Result

Comparison result: `matched_for_selected_service_mediated_createfunction_behavior`

Allowed claim:

> For one selected controlled PassRole-to-Lambda case, the selected local IAMScope `validated` PassRole finding matched the observed AWS `lambda:CreateFunction` result.

Required caveat:

> This is a narrow match for service-mediated Lambda `CreateFunction` plus `iam:PassRole` plus Lambda trust only.

The selected local finding expected the Lambda PassRole path to be `validated` for the sanitized fixture. The live run observed that Lambda `CreateFunction` accepted the selected execution role under the controlled test conditions, created the function, and then verified cleanup.

## Evidence Boundaries

This checkpoint binds only:

- One selected local IAMScope `passrole_lambda` finding.
- One observed controlled live AWS `lambda:CreateFunction` result.
- One controlled service-mediated CreateFunction behavior.

This checkpoint does not bind or validate Lambda invocation, downstream authorization, execution-role permissions, admin-equivalent role behavior, other principals, other roles, other accounts, other regions, other IAMScope findings, or broader PassRole behavior.

The selected local fixture is sanitized and synthetic. The observed live result is recorded only through sanitized checkpoint fields. No raw `/tmp` live result, Terraform state/cache/provider/plan/output file, raw account id, or raw role ARN is committed.

## Non-Claims

This checkpoint does not claim:

- Lambda invocation behavior.
- Downstream authorization.
- Admin-equivalent execution role behavior.
- Exploitability proof.
- Production readiness.
- Broad IAMScope correctness.
- Broad PassRole correctness.
- Correctness for other principals, roles, accounts, regions, or findings.
- Composite benchmark score.
- Pass/fail benchmark label.

## Next Validation Slice

Recommended next slice: add one denied PassRole-to-Lambda live validation case.