def query_for_changing_iam_things(db_session):
actions_that_change_iam = []
iam_permissions_management_actions = get_actions_with_access_level(
db_session, 'iam', 'Permissions management')
iam_write_actions = get_actions_with_access_level(db_session, 'iam',
'Write')
actions_that_change_iam.extend(iam_permissions_management_actions)
actions_that_change_iam.extend(iam_write_actions)
return actions_that_change_iam
def action_table(name, service, access_level, condition, wildcard_only):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
for result in results:
print(result)
# Get a list of all services in the database
else:
print("All services in the database:\n")
for item in all_services:
print(item)
elif name is None and access_level:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(json.dumps(output, indent=4))
# Get a list of all IAM actions under the service that support the
# specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(json.dumps(output, indent=4))
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(json.dumps(output, indent=4))
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(json.dumps(output, indent=4))
else:
print(f"All IAM actions available to {service}:")
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
for item in action_list:
print(item)
def example():
print("connected to db")
actions = get_actions_for_service(
'cloud9'
) # Then you can leverage any method that requires access to the database.
print(actions)
actions = get_actions_with_access_level('s3', 'Permissions management')
print(actions)
def test_get_actions_with_access_level(self):
"""querying.actions.get_actions_with_access_level"""
desired_output = ['workspaces:CreateTags', 'workspaces:DeleteTags']
output = get_actions_with_access_level(
"workspaces", "Tagging"
)
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_all_actions_with_access_level(self):
"""test_get_all_actions_with_access_level: Get all actions with a given access level"""
# list1 elements should be in result
list1 = get_actions_with_access_level(db_session, "all",
"Permissions management")
list2 = ["s3:deleteaccesspointpolicy", "s3:putbucketacl"]
self.maxDiff = None
print(list1)
# decision = list1 contains all elements of list2 using all()
decision = all(elem in list1 for elem in list2)
print(f"decision is {decision}")
self.assertTrue(decision)
def example():
db_session = connect_db(
'bundled'
) # This is the critical line. You just need to specify `'bundled'` as the parameter.
print("connected to db")
actions = get_actions_for_service(
db_session, 'cloud9'
) # Then you can leverage any method that requires access to the database.
print(actions)
actions = get_actions_with_access_level(db_session, 's3',
'Permissions management')
print(actions)
async def _get_policy_sentry_access_level_actions(
service: str, access_levels: List[str]) -> List[str]:
"""Use policy_sentry to get actions corresponding to AWS service and access_levels.
TODO(psanders): Move this to a more sensible module
:param resource_arn: Resource ARN (or wildcards) of the resource associated with the change
:param access_levels: a list of CRUD operations to generate IAM policy statmeents from
:return: actions: A list of IAM policy actions
"""
actions: List[str] = []
for level in access_levels:
actions += get_actions_with_access_level(service, level)
return actions
def test_get_actions_with_access_level(self):
"""test_get_actions_with_access_level: Tests function that gets a list of actions in a
service under different access levels."""
desired_output = [
'ram:acceptresourceshareinvitation', 'ram:associateresourceshare',
'ram:createresourceshare', 'ram:deleteresourceshare',
'ram:disassociateresourceshare',
'ram:enablesharingwithawsorganization',
'ram:rejectresourceshareinvitation', 'ram:updateresourceshare'
]
output = get_actions_with_access_level(db_session, "ram",
"Permissions management")
print(output)
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_actions_with_access_level(self):
"""querying.actions.get_actions_with_access_level"""
desired_output = [
"ram:acceptresourceshareinvitation",
"ram:associateresourceshare",
"ram:createresourceshare",
"ram:deleteresourceshare",
"ram:disassociateresourceshare",
"ram:enablesharingwithawsorganization",
"ram:rejectresourceshareinvitation",
"ram:updateresourceshare",
]
output = get_actions_with_access_level(
db_session, "ram", "Permissions management"
)
# print(output)
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_actions_with_access_level(self):
"""querying.actions.get_actions_with_access_level"""
desired_output = [
"ram:AcceptResourceShareInvitation",
"ram:AssociateResourceShare",
"ram:CreateResourceShare",
"ram:DeleteResourceShare",
"ram:DisassociateResourceShare",
"ram:EnableSharingWithAwsOrganization",
"ram:RejectResourceShareInvitation",
"ram:UpdateResourceShare",
]
output = get_actions_with_access_level(db_session, "ram",
"Permissions management")
# print(output)
self.maxDiff = None
print(output)
self.assertListEqual(desired_output, output)
def query_action_table(name,
service,
access_level,
condition,
resource_type,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not resource_type:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and resource_type:
print(
f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_with_arn_type_and_access_level(
service, resource_type, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif resource_type:
print(
f"IAM actions under {service} service that have the resource type {resource_type}:"
)
output = get_actions_matching_arn_type(service, resource_type)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.actions import get_actions_with_access_level
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_actions_with_access_level(db_session, 'all',
'Permissions management')
print(json.dumps(output, indent=4))
"""
Output: Literally all IAM actions that are at the Permissions management access level
"""
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
#!/usr/bin/env python
from policy_sentry.querying.actions import get_actions_with_access_level
import json
if __name__ == '__main__':
output = get_actions_with_access_level('s3', 'Permissions management')
print(json.dumps(output, indent=4))
"""
Output:
s3:bypassgovernanceretention
s3:deleteaccesspointpolicy
s3:deletebucketpolicy
s3:objectowneroverridetobucketowner
s3:putaccesspointpolicy
s3:putaccountpublicaccessblock
s3:putbucketacl
s3:putbucketpolicy
s3:putbucketpublicaccessblock
s3:putobjectacl
s3:putobjectversionacl
"""
def example():
actions = get_actions_for_service('cloud9')
print(actions)
actions = get_actions_with_access_level('s3', 'Permissions management')
print(actions)
