def is_excluded(self, exclusions):
"""Determine whether or not the User in question is excluded"""
if not isinstance(exclusions, Exclusions):
raise Exception("Please supply a Exclusions object")
# (1) If the user is a member of an excluded group, return True
excluded_groups = []
if self.group_membership:
for group in self.group_membership:
if exclusions.is_principal_excluded(group, "Group"):
excluded_groups.append(group)
if excluded_groups:
# return True
return excluded_groups
# (2) If the user is explicitly excluded, return True
if exclusions.is_principal_excluded(self.name, "User"):
logger.debug(
f"Excluded: the {self.name} user is explicitly excluded.")
return [self.name]
# Each finding will be limited to one policy - so if this user has multiple risky policies,
# then there will be multiple findings per group
# So, for this finding, we will check if the single PolicyName/path assigned to this group is excluded.
# (3) If the policy attached is excluded
# Policy Name
if exclusions.is_policy_excluded(self.policy_name.lower()):
return [self.policy_name]
# Policy Path
elif exclusions.is_policy_excluded(get_full_policy_path(self.arn)):
return [get_full_policy_path(self.arn)]
# (4) If we made it this far, it's not excluded
else:
return False
def is_excluded(self, exclusions):
"""Determine whether or not the Policy in question is excluded"""
if not isinstance(exclusions, Exclusions):
raise Exception("Please supply a Exclusions object")
# (1) If the policy attached is excluded
# Policy Name
if exclusions.is_policy_excluded(self.policy_name.lower()):
return [self.policy_name]
# Policy Path
elif exclusions.is_policy_excluded(get_full_policy_path(self.arn)):
return [get_full_policy_path(self.arn)]
# (2) If we made it this far, it's not excluded
else:
return False
def __init__(self,
group_detail,
policy_details,
exclusions=DEFAULT_EXCLUSIONS):
"""
Initialize the GroupDetail object.
:param group_detail: Details about a particular group
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes
"""
self.create_date = group_detail.get("CreateDate")
self.arn = group_detail.get("Arn")
self.path = group_detail.get("Path")
self.group_id = group_detail.get("GroupId")
self.group_name = group_detail.get("GroupName")
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Inline Policies
self.inline_policies = []
# If the group itself is NOT excluded, add its inline policies
if not self.is_excluded:
if group_detail.get("GroupPolicyList"):
for policy_detail in group_detail.get("GroupPolicyList"):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(
json.dumps(policy_document))
if not (exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)):
inline_policy = InlinePolicy(policy_detail)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
if group_detail.get("AttachedManagedPolicies"):
for policy in group_detail.get("AttachedManagedPolicies"):
arn = policy.get("PolicyArn")
if not (exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(
get_full_policy_path(arn))
or exclusions.is_policy_excluded(
get_policy_name(arn))):
attached_managed_policy_details = (
policy_details.get_policy_detail(arn))
self.attached_managed_policies.append(
attached_managed_policy_details)
def is_excluded(self, exclusions):
"""Determine whether or not the Role in question is excluded"""
if not isinstance(exclusions, Exclusions):
raise Exception("Please supply a Exclusions object")
# (1) If the role is explicitly excluded
if exclusions.is_principal_excluded(self.name, "Role"):
logger.debug(
f"Excluded: the {self.name} role is explicitly excluded.")
return True
# Each finding will be limited to one policy - so if this user has multiple risky policies,
# then there will be multiple findings per group
# So, for this finding, we will check if the single PolicyName/path assigned to this group is excluded.
# (2) If the policy attached is excluded
# Policy Name
if exclusions.is_policy_excluded(self.policy_name.lower()):
return self.policy_name
# Policy Path
elif exclusions.is_policy_excluded(get_full_policy_path(self.arn)):
return get_full_policy_path(self.arn)
# (4) If we made it this far, it's not excluded
else:
return False
def is_excluded(self, exclusions):
"""Determine whether or not the Group in question is excluded"""
if not isinstance(exclusions, Exclusions):
raise Exception("Please supply a Exclusions object")
# (1) If there are no more users in the group
members_in_use = []
if self.members:
for member in self.members:
if not exclusions.is_principal_excluded(member, "User"):
members_in_use.append(member)
if len(members_in_use) == 0:
# decision_count += 1
logger.debug(
f"Excluded: the {self.name} group's members are all excluded."
)
return members_in_use
# (2) If the group itself is excluded.
if exclusions.is_principal_excluded(self.name, "Group"):
logger.debug(
f"Excluded: the {self.name} group is explicitly excluded.")
return self.name
# Each finding will be limited to one policy - so if this group has multiple risky policies,
# then there will be multiple findings per group
# So, for this finding, we will check if the single PolicyName/path assigned to this group is excluded.
# (3) If the policy attached is excluded
# Policy Name
if exclusions.is_policy_excluded(self.policy_name.lower()):
return self.policy_name
# Policy Path
elif exclusions.is_policy_excluded(get_full_policy_path(self.arn)):
return get_full_policy_path(self.arn)
else:
# (4) If we made it this far, it's not excluded
return False
def full_policy_path(self):
"""Get the full policy path, including /aws-service-role/, if applicable"""
return get_full_policy_path(self.arn)
def __init__(
self,
group_detail: Dict[str, Any],
policy_details: ManagedPolicyDetails,
exclusions: Exclusions = DEFAULT_EXCLUSIONS,
flag_conditional_statements: bool = False,
flag_resource_arn_statements: bool = False,
):
"""
Initialize the GroupDetail object.
:param group_detail: Details about a particular group
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the group can inherit those attributes
"""
self.create_date = group_detail.get("CreateDate")
self.arn = group_detail.get("Arn")
self.path = group_detail["Path"]
self.group_id = group_detail["GroupId"]
self.group_name = group_detail["GroupName"]
# Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
self.flag_conditional_statements = flag_conditional_statements
self.flag_resource_arn_statements = flag_resource_arn_statements
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Inline Policies
self.inline_policies = []
# If the group itself is NOT excluded, add its inline policies
if not self.is_excluded:
for policy_detail in group_detail.get("GroupPolicyList", []):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)):
# NOTE: The Exclusions were not here before the #254 fix (which was an unfiled bug I just discovered) so the presence of this might break some older unit tests. Might need to fix that.
inline_policy = InlinePolicy(
policy_detail,
exclusions=exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=
flag_resource_arn_statements)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
for policy in group_detail.get("AttachedManagedPolicies", []):
arn = policy.get("PolicyArn")
if not (exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(
get_full_policy_path(arn)) or
exclusions.is_policy_excluded(get_policy_name(arn))):
attached_managed_policy_details = policy_details.get_policy_detail(
arn)
self.attached_managed_policies.append(
attached_managed_policy_details)
def __init__(
self,
user_detail: Dict[str, Any],
policy_details: ManagedPolicyDetails,
all_group_details: GroupDetailList,
exclusions: Exclusions = DEFAULT_EXCLUSIONS,
flag_conditional_statements: bool = False,
flag_resource_arn_statements: bool = False,
) -> None:
"""
Initialize the UserDetail object.
:param user_detail: Details about a particular user
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the user can inherit those attributes
:param all_group_details:
"""
self.create_date = user_detail.get("CreateDate")
self.arn = user_detail.get("Arn")
self.path = user_detail["Path"]
self.user_id = user_detail["UserId"]
self.user_name = user_detail["UserName"]
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
self.flag_conditional_statements = flag_conditional_statements
self.flag_resource_arn_statements = flag_resource_arn_statements
# Groups
self.groups: List[GroupDetail] = []
group_list = user_detail.get("GroupList")
if group_list:
self._add_group_details(group_list, all_group_details)
# self.inline_policies = user_detail.get("UserPolicyList")
# self.groups = user_detail.get("GroupList")
# Inline Policies
self.inline_policies = []
# If the user itself is NOT excluded, add its inline policies
if not self.is_excluded:
for policy_detail in user_detail.get("UserPolicyList", []):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)):
inline_policy = InlinePolicy(
policy_detail,
exclusions=exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=
flag_resource_arn_statements)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the user itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
for policy in user_detail.get("AttachedManagedPolicies", []):
arn = policy.get("PolicyArn")
if not (exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(
get_full_policy_path(arn)) or
exclusions.is_policy_excluded(get_policy_name(arn))):
attached_managed_policy_details = policy_details.get_policy_detail(
arn)
self.attached_managed_policies.append(
attached_managed_policy_details)
def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS):
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail.get("Path")
self.role_name = role_detail.get("RoleName")
self.role_id = role_detail.get("RoleId")
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed").get("LastUsedDate")
self.role_detail = role_detail # just to reference later in debugging
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again."
)
self.is_excluded = self._is_excluded(exclusions)
# Metadata in object form
if role_detail.get("AssumeRolePolicyDocument"):
self.assume_role_policy_document = AssumeRolePolicyDocument(role_detail.get("AssumeRolePolicyDocument"))
else:
self.assume_role_policy_document = None
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList")
# Inline Policies
self.inline_policies = []
# If the role itself is NOT excluded, add its inline policies
if not self.is_excluded:
if role_detail.get("RolePolicyList"):
for policy_detail in role_detail.get("RolePolicyList"):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (
exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)
):
inline_policy = InlinePolicy(policy_detail)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
if role_detail.get("AttachedManagedPolicies"):
for policy in role_detail.get("AttachedManagedPolicies"):
arn = policy.get("PolicyArn")
if not (
exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(get_full_policy_path(arn))
or exclusions.is_policy_excluded(get_policy_name(arn))
):
attached_managed_policy_details = policy_details.get_policy_detail(arn)
self.attached_managed_policies.append(attached_managed_policy_details)
def __init__(
self,
role_detail: Dict[str, Any],
policy_details: ManagedPolicyDetails,
exclusions: Exclusions = DEFAULT_EXCLUSIONS,
flag_conditional_statements: bool = False,
flag_resource_arn_statements: bool = False,
) -> None:
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail["Path"]
self.role_name = role_detail["RoleName"]
self.role_id = role_detail["RoleId"]
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed",
{}).get("LastUsedDate")
self.role_detail = role_detail # just to reference later in debugging
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
self.flag_conditional_statements = flag_conditional_statements
self.flag_resource_arn_statements = flag_resource_arn_statements
# Metadata in object form
self.assume_role_policy_document = None
assume_role_policy = role_detail.get("AssumeRolePolicyDocument")
if assume_role_policy:
self.assume_role_policy_document = AssumeRolePolicyDocument(
assume_role_policy)
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList", [])
# Inline Policies
self.inline_policies = []
# If the role itself is NOT excluded, add its inline policies
if not self.is_excluded:
for policy_detail in role_detail.get("RolePolicyList", []):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)):
inline_policy = InlinePolicy(
policy_detail,
exclusions=exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=
flag_resource_arn_statements)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
for policy in role_detail.get("AttachedManagedPolicies", []):
arn = policy.get("PolicyArn")
if not (exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(
get_full_policy_path(arn)) or
exclusions.is_policy_excluded(get_policy_name(arn))):
attached_managed_policy_details = policy_details.get_policy_detail(
arn)
self.attached_managed_policies.append(
attached_managed_policy_details)
