def create_audit_directory():
"""
Creates directory for analyze_iam_policy audit files and places audit files there.
"""
audit_directory_path = HOME + CONFIG_DIRECTORY + AUDIT_DIRECTORY_FOLDER
create_directory_if_it_doesnt_exist(audit_directory_path)
destination = audit_directory_path
existing_audit_files_directory = os.path.abspath(os.path.dirname(__file__)) + '/data/audit/'
source = existing_audit_files_directory
file_list = list_files_in_directory(existing_audit_files_directory)
for file in file_list:
if file.endswith(".txt"):
shutil.copy(source + '/' + file, destination)
print("copying " + file + " to " + destination)
def create_html_docs_directory():
"""
Copies the HTML files from the pip package over to its own folder in the CONFIG_DIRECTORY.
Also copies over the links.yml file, which is a mapping of services and relevant HTML links in the AWS docs.
Essentially:
mkdir -p ~/.policy_sentry/data/docs
cp -r $MODULE_DIR/policy_sentry/shared/data/docs ~/.policy_sentry/data/docs
:return:
"""
create_directory_if_it_doesnt_exist(HTML_DIRECTORY_PATH)
# Copy from the existing html docs folder - the path ./policy_sentry/shared/data/docs within this repository
existing_html_docs_folder = os.path.abspath(
os.path.dirname(__file__)) + HTML_DATA_DIRECTORY_SUBFOLDER
copy_tree(existing_html_docs_folder, HTML_DIRECTORY_PATH)
# Copy the links.yml file from here to the config directory
existing_links_file = os.path.abspath(
os.path.dirname(__file__)) + '/' + 'links.yml'
target_links_file = HOME + CONFIG_DIRECTORY + 'links.yml'
shutil.copy(existing_links_file, target_links_file)
def create_audit_directory():
"""
Creates directory for analyze_iam_policy audit files and places audit files there.
Essentially:
mkdir -p ~/.policy_sentry/audit
cp -r $MODULE_DIR/policy_sentry/shared/data/audit/ ~/.policy_sentry/audit/
"""
create_directory_if_it_doesnt_exist(AUDIT_DIRECTORY_PATH)
destination = AUDIT_DIRECTORY_PATH
existing_audit_files_directory = os.path.abspath(
os.path.dirname(__file__)) + '/data/audit/'
source = existing_audit_files_directory
file_list = list_files_in_directory(existing_audit_files_directory)
for file in file_list:
if file.endswith(".txt"):
shutil.copy(source + '/' + file, destination)
print("copying " + file + " to " + destination)
def download_remote_policies(profile=None,
customer_managed=True,
attached_only=True):
# Credentials profile selection
if profile:
profile = profile
else:
profile = "default"
iam_session = login(profile, "iam")
sts_session = login(profile, "sts")
# Get the account ID for use in folder directory naming
account_id = sts_session.get_caller_identity()["Account"]
# Directory names
policy_file_directory = home + config_directory + 'policy-analysis' + '/' + account_id
customer_managed_policy_file_directory = policy_file_directory + '/' + 'customer-managed'
aws_managed_policy_file_directory = policy_file_directory + '/' + 'aws-managed'
create_directory_if_it_doesnt_exist(policy_file_directory)
create_directory_if_it_doesnt_exist(customer_managed_policy_file_directory)
create_directory_if_it_doesnt_exist(aws_managed_policy_file_directory)
policy_group = PolicyGroup()
policy_group.set_remote_policy_metadata(iam_session, customer_managed,
attached_only)
policy_names = policy_group.get_policy_names()
policy_group.set_remote_policy_documents(iam_session)
# Determine whether we should store it in the customer-managed or aws-managed directory
if customer_managed:
filename_directory = customer_managed_policy_file_directory
else:
filename_directory = aws_managed_policy_file_directory
print("Writing the policy files to " + filename_directory)
print("")
for policy_name in policy_names:
# get the default policy version for that specific policy
document = policy_group.get_policy_document(policy_name)
filename = filename_directory + '/' + policy_name + '.json'
write_json_file(filename, document)
print(
"If you want to analyze the policies, specify the policy file in the analyze-iam-policy command\n"
)
print("The list of policies downloaded are:")
print("")
only_files = list_files_in_directory(filename_directory)
for filename in only_files:
print(filename)
def download_remote_policies(profile=None,
customer_managed=True,
attached_only=True):
"""Download IAM Policies from live accounts to ~/policy_sentry/analysis/account_id/"""
# Credentials profile selection
if profile:
profile = profile
else:
profile = "default"
iam_session = login(profile, "iam")
sts_session = login(profile, "sts")
# Get the account ID for use in folder directory naming
account_id = sts_session.get_caller_identity()["Account"]
# Directory names
policy_file_directory = HOME + CONFIG_DIRECTORY + \
'analysis' + '/' + account_id
customer_managed_policy_file_directory = policy_file_directory + '/' + 'customer-managed'
aws_managed_policy_file_directory = policy_file_directory + '/' + 'aws-managed'
create_directory_if_it_doesnt_exist(policy_file_directory)
create_directory_if_it_doesnt_exist(customer_managed_policy_file_directory)
create_directory_if_it_doesnt_exist(aws_managed_policy_file_directory)
policy_group = PolicyGroup()
policy_group.set_remote_policy_metadata(iam_session, customer_managed,
attached_only)
policy_names = policy_group.get_policy_names()
policy_group.set_remote_policy_documents(iam_session)
# Determine whether we should store it in the customer-managed or
# aws-managed directory
if customer_managed:
filename_directory = customer_managed_policy_file_directory
else:
filename_directory = aws_managed_policy_file_directory
print("Writing the policy files to " + filename_directory)
print("")
for policy_name in policy_names:
# get the default policy version for that specific policy
document = policy_group.get_policy_document(policy_name)
filename = filename_directory + '/' + policy_name + '.json'
write_json_file(filename, document)
print(
"If you want to analyze the policies, just run:\n\npolicy_sentry analyze downloaded-policies"
)
return filename_directory