def list_method(self, **kwargs):
all_roles = list_roles(**kwargs)
items = []
for role in all_roles:
role["Region"] = "us-east-1" # IAM is global
items.append(role)
return items
def list_method(self, **kwargs):
all_roles = list_roles(**kwargs)
items = []
for role in all_roles:
role["Region"] = "us-east-1" # IAM is global
items.append(role)
return items
def _list_users(self):
if not self.session:
return list_roles(**self.conn_details)
else:
client = self._get_client()
paginator = client.get_paginator('list_users')
roles = []
for page in paginator.paginate():
roles += page['Users']
return roles
def update_role_cache(account_number):
conn = CONFIG['connection_iam']
conn['account_number'] = account_number
roles = list_roles(**conn)
active_roles = []
LOGGER.info('Updating role data for account {}'.format(account_number))
for role in tqdm(roles):
role['policies'] = get_role_inline_policies(role, **conn) or {}
active_roles.append(role['RoleId'])
roledata.update_role_data(role)
LOGGER.info('Finding inactive accounts')
roledata.find_and_mark_inactive(active_roles)
LOGGER.info('Filtering roles')
filtered_roles_list = {}
plugins = FilterPlugins()
# need to have all roles in the dictionary, even if they aren't filtered
filtered_roles_list = {role['RoleId']: [] for role in roles}
for plugin in CONFIG.get('active_filters'):
plugins.load_plugin(plugin)
for plugin in plugins.filter_plugins:
filtered_list = plugin.apply(roles)
class_name = plugin.__class__.__name__
for role in filtered_list:
LOGGER.info('Role {} filtered by {}'.format(
role['RoleName'], class_name))
filtered_roles_list[role['RoleId']].append(class_name)
roledata.update_filtered_roles(filtered_roles_list)
LOGGER.info('Getting data from Aardvark')
aardvark_data = _get_aardvark_data(account_number)
LOGGER.info('Updating with Aardvark data')
roledata.update_aardvark_data(account_number, aardvark_data)
LOGGER.info('Calculating repoable permissions and services')
roledata.update_repoable_data(_calculate_repo_scores(account_number))
LOGGER.info('Updating stats')
roledata.update_stats(source='Scan')
def _get_arns(self):
"""
Gets a list of all Role ARNs in a given account, optionally limited by
class property ARN filter
:return: list of role ARNs
"""
roles = list_roles(**self.conn_details)
account_arns = set([role['Arn'] for role in roles])
result_arns = set()
for arn in self.arn_list:
if arn.lower() == 'all':
return account_arns
if arn not in account_arns:
self.current_app.logger.warn(
"Provided ARN {arn} not found in account.".format(arn=arn))
continue
result_arns.add(arn)
return list(result_arns)
def _get_arns(self):
"""
Gets a list of all Role ARNs in a given account, optionally limited by
class property ARN filter
:return: list of role ARNs
"""
client = boto3_cached_conn('iam',
service_type='client',
**self.conn_details)
account_arns = set()
for role in list_roles(**self.conn_details):
account_arns.add(role['Arn'])
for user in list_users(**self.conn_details):
account_arns.add(user['Arn'])
for page in client.get_paginator('list_policies').paginate(
Scope='Local'):
for policy in page['Policies']:
account_arns.add(policy['Arn'])
for page in client.get_paginator('list_groups').paginate():
for group in page['Groups']:
account_arns.add(group['Arn'])
result_arns = set()
for arn in self.arn_list:
if arn.lower() == 'all':
return account_arns
if arn not in account_arns:
self.current_app.logger.warn(
"Provided ARN {arn} not found in account.".format(arn=arn))
continue
result_arns.add(arn)
return list(result_arns)
def list_roles(self, **kwargs):
roles = list_roles(**kwargs["conn_dict"])
return [role for role in roles if not self.check_ignore_list(role['RoleName'])]
def update_role_cache(account_number, dynamo_table, config, hooks):
"""
Update data about all roles in a given account:
1) list all the roles and initiate a role object with basic data including name and roleID
2) get inline policies for each of the roles
3) build a list of active roles - we'll want to keep data about roles that may have been deleted in case we
need to restore them, so if we used to have a role and now we don't see it we'll mark it inactive
4) update data about the roles in Dynamo
5) mark inactive roles in Dynamo
6) load and instantiate filter plugins
7) for each filter determine the list of roles that it filters
8) update data in Dynamo about filters
9) get Aardvark data for each role
10) update Dynamo with Aardvark data
11) calculate repoable permissions/policies for all the roles
12) update Dynamo with information about how many total and repoable permissions and which services are repoable
13) update stats in Dynamo with basic information like total permissions and which filters are applicable
Args:
account_number (string): The current account number Repokid is being run against
Returns:
None
"""
conn = config['connection_iam']
conn['account_number'] = account_number
roles = Roles([Role(role_data) for role_data in list_roles(**conn)])
active_roles = []
LOGGER.info('Updating role data for account {}'.format(account_number))
for role in tqdm(roles):
role.account = account_number
current_policies = get_role_inline_policies(role.as_dict(), **conn) or {}
active_roles.append(role.role_id)
roledata.update_role_data(dynamo_table, account_number, role, current_policies)
LOGGER.info('Finding inactive roles in account {}'.format(account_number))
roledata.find_and_mark_inactive(dynamo_table, account_number, active_roles)
LOGGER.info('Filtering roles')
plugins = FilterPlugins()
# Blacklist needs to know the current account
config['filter_config']['BlacklistFilter']['current_account'] = account_number
for plugin_path in config.get('active_filters'):
plugin_name = plugin_path.split(':')[1]
plugins.load_plugin(plugin_path, config=config['filter_config'].get(plugin_name, None))
for plugin in plugins.filter_plugins:
filtered_list = plugin.apply(roles)
class_name = plugin.__class__.__name__
for filtered_role in filtered_list:
LOGGER.info('Role {} filtered by {}'.format(filtered_role.role_name, class_name))
filtered_role.disqualified_by.append(class_name)
for role in roles:
set_role_data(dynamo_table, role.role_id, {'DisqualifiedBy': role.disqualified_by})
LOGGER.info('Getting data from Aardvark for account {}'.format(account_number))
aardvark_data = _get_aardvark_data(config['aardvark_api_location'], account_number=account_number)
LOGGER.info('Updating roles with Aardvark data in account {}'.format(account_number))
for role in roles:
try:
role.aa_data = aardvark_data[role.arn]
except KeyError:
LOGGER.warning('Aardvark data not found for role: {} ({})'.format(role.role_id, role.role_name))
else:
set_role_data(dynamo_table, role.role_id, {'AAData': role.aa_data})
LOGGER.info('Calculating repoable permissions and services for account {}'.format(account_number))
roledata._calculate_repo_scores(roles, config['filter_config']['AgeFilter']['minimum_age'], hooks)
for role in roles:
LOGGER.debug('Role {} in account {} has\nrepoable permissions: {}\nrepoable services:'.format(
role.role_name, account_number, role.repoable_permissions, role.repoable_services
))
set_role_data(dynamo_table, role.role_id, {'TotalPermissions': role.total_permissions,
'RepoablePermissions': role.repoable_permissions,
'RepoableServices': role.repoable_services})
LOGGER.info('Updating stats in account {}'.format(account_number))
roledata.update_stats(dynamo_table, roles, source='Scan')
def list_method(self, **kwargs):
return list_roles(**kwargs)
def update_role_cache(account_number):
"""
Update data about all roles in a given account:
1) list all the roles and initiate a role object with basic data including name and roleID
2) get inline policies for each of the roles
3) build a list of active roles - we'll want to keep data about roles that may have been deleted in case we
need to restore them, so if we used to have a role and now we don't see it we'll mark it inactive
4) update data about the roles in Dynamo
5) mark inactive roles in Dynamo
6) load and instantiate filter plugins
7) for each filter determine the list of roles that it filters
8) update data in Dynamo about filters
9) get Aardvark data for each role
10) update Dynamo with Aardvark data
11) calculate repoable permissions/policies for all the roles
12) update Dynamo with information about how many total and repoable permissions and which services are repoable
13) update stats in Dynamo with basic information like total permissions and which filters are applicable
Args:
account_number (string): The current account number Repokid is being run against
Returns:
None
"""
conn = CONFIG['connection_iam']
conn['account_number'] = account_number
roles = Roles([Role(role_data) for role_data in list_roles(**conn)])
active_roles = []
LOGGER.info('Updating role data for account {}'.format(account_number))
for role in tqdm(roles):
current_policies = get_role_inline_policies(role.as_dict(), **
conn) or {}
active_roles.append(role.role_id)
roledata.update_role_data(role, current_policies)
LOGGER.info('Finding inactive accounts')
roledata.find_and_mark_inactive(account_number, active_roles)
LOGGER.info('Filtering roles')
plugins = FilterPlugins()
for plugin in CONFIG.get('active_filters'):
plugins.load_plugin(plugin)
for plugin in plugins.filter_plugins:
filtered_list = plugin.apply(roles)
class_name = plugin.__class__.__name__
for role in filtered_list:
LOGGER.info('Role {} filtered by {}'.format(
role.role_name, class_name))
roles.get_by_id(role.role_id).disqualified_by.append(class_name)
roledata.update_filtered_roles(roles)
LOGGER.info('Getting data from Aardvark')
aardvark_data = _get_aardvark_data(account_number)
LOGGER.info('Updating with Aardvark data')
roledata.update_aardvark_data(aardvark_data, roles)
LOGGER.info('Calculating repoable permissions and services')
roledata._calculate_repo_scores(roles)
roledata.update_repoable_data(roles)
LOGGER.info('Updating stats')
roledata.update_stats(roles, source='Scan')
