def setup(self):
self.unused_users = []
self.unused_roles = []
self.unattached_policies = []
self.redundant_group = []
self.user_clusters = {
"Admins": ["wifi"],
"Powerusers": {
"Users": ["GanDalf"],
"Policies": [
"arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
"arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonESFullAccess"
]
},
"ReadOnly": ["kangaroo", "talm"]
}
self.special_users = []
self.roles_rightsizing = []
self.terraform_transformer = TerraformTransformer(configure_logger())
current_dir = os.path.abspath(os.path.dirname(__file__))
with open("{}/{}".format(current_dir, "../iam_data.json")) as f:
iam_data = json.load(f)
self.report = RuntimeReport("012345678901", 'arn:aws:iam::012345678901:user/testuser', iam_data)
self.report.set_unused(self.unused_users, self.unused_roles, [], [], self.unattached_policies, self.redundant_group, [])
self.report.set_reorg(self.user_clusters)
def test_user_organizer(self):
unused_threshold = 10 + days_from_today('2020-03-21T11:41:00+00:00')
current_dir = os.path.abspath(os.path.dirname(__file__))
with open("{}/{}".format(current_dir, "../iam_data.json")) as f:
iam_data = json.load(f)
self.report = RuntimeReport('000000000000', 'arn:aws:iam::000000000000:user/testuser', iam_data)
credential_report = iam_data['CredentialReport']
account_users = iam_data['AccountUsers']
account_roles = iam_data['AccountRoles']
account_policies = iam_data['AccountPolicies']
account_groups = iam_data['AccountGroups']
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
unattached_policies = find_unattached_policies(account_policies)
redundant_groups = find_redundant_groups(account_groups, account_users)
unused_roles, used_roles = find_unused_roles(account_roles, unused_threshold)
unused_policy_attachments = find_unused_policy_attachments(account_users, account_roles, account_policies, account_groups, unused_threshold)
unused_policy_attachments = filter_attachments_of_unused_entities(unused_policy_attachments, unused_users, unused_roles, redundant_groups)
self.report.set_unused(unused_users, unused_roles, unused_active_access_keys, unused_console_login_profiles, unattached_policies,
redundant_groups, unused_policy_attachments)
self.user_organizer = UserOrganizer(configure_logger(), unused_threshold)
simple_user_clusters = self.user_organizer.get_user_clusters(self.report)
self.assertEqual(len(simple_user_clusters), 3)
self.assertEqual(len(unused_users), 1)
self.assertTrue('Admins' in simple_user_clusters.keys())
self.assertTrue('ReadOnly' in simple_user_clusters.keys())
self.assertTrue('Powerusers' in simple_user_clusters.keys())
self.assertEqual(len(simple_user_clusters['Admins']['Users']), 2, 'Expected to have 2 admins')
self.report.set_reorg(simple_user_clusters)
Reporter.report_groupings(self.report)
def recommend_groups(logger,
runtime_iam_report: RuntimeReport,
last_used_threshold=90,
organizer=None):
account_id = runtime_iam_report.get_raw_data(
)['AccountRoles'][0]['Arn'].split(":")[4]
logger.info("Analyzing data for account {}".format(account_id))
if not organizer:
logger.info('Using the default UserOrganizer')
organizer = UserOrganizer(logger, last_used_threshold)
runtime_iam_report.set_reorg(
organizer.get_user_clusters(runtime_iam_report))
return runtime_iam_report
def get_user_clusters(self, runtime_report: RuntimeReport) -> dict:
"""
Returns the user clusters based on the raw data in the runtime report
:param runtime_report: an instance of RuntimeReport which has the raw_iam_data already set
:return: {'Admins': {'Users': [], 'Policies': []}, 'Powerusers': {'Users': [], 'Policies': []}, 'ReadOnly': {'Users': [], 'Policies': []}}
"""
iam_data = runtime_report.get_raw_data()
human_users, service_users = self._separate_user_types(
iam_data['AccountUsers'])
simple_user_clusters = self._create_simple_user_clusters(
human_users, iam_data['AccountGroups'],
iam_data['AccountPolicies'])
return simple_user_clusters
class TestTerraformTransformer(unittest.TestCase):
def test_terraformer_works(self):
self.setup()
self.terraform_transformer.transform(without_unused=True, results=self.report, without_import=True, without_groups=False)
self.assertTrue(os.path.exists('results/main.tf'), 'Did not create a main file')
self.assertTrue(os.path.exists('results/users.tf'), 'Did not create a users file')
self.assertTrue(os.path.exists('results/policies.tf'), 'Did not create a policies file')
def setup(self):
self.unused_users = []
self.unused_roles = []
self.unattached_policies = []
self.redundant_group = []
self.user_clusters = {
"Admins": ["wifi"],
"Powerusers": {
"Users": ["GanDalf"],
"Policies": [
"arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
"arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonESFullAccess"
]
},
"ReadOnly": ["kangaroo", "talm"]
}
self.special_users = []
self.roles_rightsizing = []
self.terraform_transformer = TerraformTransformer(configure_logger())
current_dir = os.path.abspath(os.path.dirname(__file__))
with open("{}/{}".format(current_dir, "../iam_data.json")) as f:
iam_data = json.load(f)
self.report = RuntimeReport("012345678901", 'arn:aws:iam::012345678901:user/testuser', iam_data)
self.report.set_unused(self.unused_users, self.unused_roles, [], [], self.unattached_policies, self.redundant_group, [])
self.report.set_reorg(self.user_clusters)
def evaluate_runtime_iam(self, list_unused: bool, command: str) -> RuntimeReport:
"""
This method encapsulates all Runtime IAM data capture & classification
:param list_unused: A boolean indicating whether to list the unused AWS entities or not.
:param command: The command inputted by the user
:return: An instance of the report which describes which resources need to be reconfigured (and how),
and which resources should be removed
"""
account_id, identity_arn = self._get_identity_details()
iam_data = self._get_data_from_aws(account_id, list_unused)
if command == 'terraform':
if ':role/' in identity_arn:
iam_data['AccountRoles'] = list(filter(lambda r: r['RoleName'] != identity_arn.split('/').pop(1), iam_data['AccountRoles']))
print(f'Filtered {identity_arn} from the analysis')
return RuntimeReport(account_id, identity_arn, iam_data)