Beispiel #1
0
    def test_analyze_policies(self):
        data = {
            "settings": {
                "principal_service": ["ec2", "ec2", "lambda"],
                "policies": ["default_role_policy"],
                "additional_policies": [{
                    "action": "s3:GetObject",
                    "resource": "arn:aws:s3:::mybucketname"
                }],
            }
        }
        role = Role(data)

        actual = []
        for analyzed_policy in role.analyze_policies():
            for finding in analyzed_policy.findings:
                actual.append(str(finding))

        expected = [
            "RESOURCE_MISMATCH"
            " - [{'action': 's3:GetObject', 'required_format': 'arn:*:s3:::*/*'}]"
            " - {'actions': ['s3:GetObject'], 'filepath': None}"
        ]

        self.assertEqual(actual, expected)
Beispiel #2
0
    def test_valid_managed_policy(self):
        data = {
            "settings": {
                "managed_policy_arns": ["AmazonEKSWorkerNodePolicy"]
            }
        }
        role = Role(data)

        actual = role.analyze_policies()
        expected = []

        self.assertEqual(actual, expected)
Beispiel #3
0
    def test_invalid_managed_policy(self):
        data = {"settings": {"managed_policy_arns": ["AdministratorAccess"]}}
        role = Role(data)

        actual = [str(finding) for finding in role.analyze_policies()]

        expected = [
            "DENIED_POLICIES"
            " - Managed policies are not approved for use"
            " - {'managed_policy_arns': ['AdministratorAccess']}"
        ]

        self.assertEqual(actual, expected)
Beispiel #4
0
def lambda_handler(event, context=None):
    LOGGER.debug(f"event: {event}")

    if not event:
        LOGGER.error("No event found in request")
        return {"result": "UNSUPPORTED"}

    role_type = event.get("type")
    if role_type != "iam":
        return {"result": "UNSUPPORTED"}

    stack_name = event.get("stack_name")
    account_id = event.get("account_id")
    region = event.get("region")

    roles = validate_yaml(event.get("roles"))
    if not roles:
        return {"result": "NON_COMPLIANT"}

    all_findings = []

    for role_dict in roles:
        role = Role(role_dict, region, account_id)

        analyzed_polices = role.analyze_policies()

        role_findings = []
        for analyzed_policy in analyzed_polices:
            role_findings.extend(analyzed_policy.findings)

        if not role_findings:
            findings = simulate_policies(account_id, analyzed_polices)
            role_findings.extend(findings)

        all_findings.extend(role_findings)

    if all_findings:
        for finding in all_findings:
            LOGGER.error(str(finding))
        return {"result": "NON_COMPLIANT"}

    output = {
        "result": "COMPLIANT",
        "roles": roles,
        "account_id": account_id,
        "region": region,
        "stack_name": stack_name,
    }
    return output