Ejemplo n.º 1
0
def test_failures_for_correct_account_ids(intra_account_root_access):
    rule = PartialWildcardPrincipalRule(Config(aws_account_id="123456789012"))
    result = rule.invoke(intra_account_root_access)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789012:root')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"AccLoadBalancerAccessLogBucketPolicy"},
                resource_types={"AWS::S3::BucketPolicy"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: '987654321012')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"AccLoadBalancerAccessLogBucketPolicy"},
                resource_types={"AWS::S3::BucketPolicy"},
            ),
        ],
    )
def test_failures_are_raised(bad_template):
    result = Result()
    rule = PartialWildcardPrincipalRule(None, result)
    rule.invoke(bad_template)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 4
    assert result.failed_monitored_rules[
        0].rule == "PartialWildcardPrincipalRule"
    assert result.failed_monitored_rules[
        0].reason == "PolicyA contains an unknown principal: 123445"
    assert result.failed_monitored_rules[
        1].rule == "PartialWildcardPrincipalRule"
    assert (
        result.failed_monitored_rules[1].reason ==
        "PolicyA should not allow wildcard in principals or account-wide principals "
        "(principal: 'arn:aws:iam::123445:12345*')")
    assert result.failed_monitored_rules[
        2].rule == "PartialWildcardPrincipalRule"
    assert result.failed_monitored_rules[
        2].reason == "PolicyA contains an unknown principal: 123445"
    assert result.failed_monitored_rules[
        3].rule == "PartialWildcardPrincipalRule"
    assert (
        result.failed_monitored_rules[3].reason ==
        "PolicyA should not allow wildcard in principals or account-wide principals "
        "(principal: 'arn:aws:iam::123445:root')")
Ejemplo n.º 3
0
def test_failures_are_raised(bad_template):
    rule = PartialWildcardPrincipalRule(None)
    result = rule.invoke(bad_template)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:12345*')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:root')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
        ],
    )
def test_no_failures_are_raised(good_template):
    rule = PartialWildcardPrincipalRule(None)
    result = rule.invoke(good_template)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
def test_failures_are_raised(bad_template):
    rule = PartialWildcardPrincipalRule(None)
    result = rule.invoke(bad_template)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123445:12345*'",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123445:root'",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'eb2fe74dc7e8125d8f8fcae89d90e6dfdecabf896e1a69d55e949b009fd95a97'",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"PolicyA"},
                resource_types={"AWS::IAM::Policy"},
            ),
        ],
    )
Ejemplo n.º 6
0
def test_no_failures_are_raised(good_template):
    rule = PartialWildcardPrincipalRule(None)
    result = rule.invoke(good_template)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
Ejemplo n.º 7
0
def test_rule_supports_filter_config(bad_template, default_allow_all_config):
    rule = PartialWildcardPrincipalRule(default_allow_all_config)
    result = rule.invoke(bad_template)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
Ejemplo n.º 8
0
def test_aws_elb_allow_template(aws_elb_allow_template):
    rule = PartialWildcardPrincipalRule(None)
    result = rule.invoke(aws_elb_allow_template)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])