def test_get_actions_for_service(self):
"""querying.actions.get_actions_for_service"""
expected_results = [
"ram:AcceptResourceShareInvitation",
"ram:AssociateResourceShare",
"ram:AssociateResourceSharePermission",
"ram:CreateResourceShare",
"ram:DeleteResourceShare",
"ram:DisassociateResourceShare",
"ram:DisassociateResourceSharePermission",
"ram:EnableSharingWithAwsOrganization",
"ram:GetPermission",
"ram:GetResourcePolicies",
"ram:GetResourceShareAssociations",
"ram:GetResourceShareInvitations",
"ram:GetResourceShares",
"ram:ListPendingInvitationResources",
"ram:ListPermissions",
"ram:ListPrincipals",
"ram:ListResourceSharePermissions",
"ram:ListResources",
"ram:RejectResourceShareInvitation",
"ram:TagResource",
"ram:UntagResource",
"ram:UpdateResourceShare"
]
results = get_actions_for_service("ram")
print(json.dumps(results, indent=4))
self.maxDiff = None
for expected_result in expected_results:
self.assertTrue(expected_result in results)
def test_services_with_multiple_pages_elb(self):
"""Ensure that elb v1 and elb v2 actions are both present in the elasticloadbalancing namespace"""
results = get_actions_for_service("elasticloadbalancing")
actions = [
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateAppCookieStickinessPolicy",
"elasticloadbalancing:CreateLBCookieStickinessPolicy",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
]
for action in actions:
self.assertTrue(action in results)
def test_get_actions_for_service(self):
"""querying.actions.get_actions_for_service"""
desired_output = [
"ram:acceptresourceshareinvitation",
"ram:associateresourceshare",
"ram:associateresourcesharepermission",
"ram:createresourceshare",
"ram:deleteresourceshare",
"ram:disassociateresourceshare",
"ram:disassociateresourcesharepermission",
"ram:enablesharingwithawsorganization",
"ram:getpermission",
"ram:getresourcepolicies",
"ram:getresourceshareassociations",
"ram:getresourceshareinvitations",
"ram:getresourceshares",
"ram:listpendinginvitationresources",
"ram:listpermissions",
"ram:listprincipals",
"ram:listresourcesharepermissions",
"ram:listresources",
"ram:rejectresourceshareinvitation",
"ram:tagresource",
"ram:untagresource",
"ram:updateresourceshare",
]
output = get_actions_for_service(db_session, "ram")
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_get_actions_for_service(self):
"""querying.actions.get_actions_for_service"""
desired_output = [
"ram:AcceptResourceShareInvitation",
"ram:AssociateResourceShare",
"ram:AssociateResourceSharePermission",
"ram:CreateResourceShare",
"ram:DeleteResourceShare",
"ram:DisassociateResourceShare",
"ram:DisassociateResourceSharePermission",
"ram:EnableSharingWithAwsOrganization",
"ram:GetPermission",
"ram:GetResourcePolicies",
"ram:GetResourceShareAssociations",
"ram:GetResourceShareInvitations",
"ram:GetResourceShares",
"ram:ListPendingInvitationResources",
"ram:ListPermissions",
"ram:ListPrincipals",
"ram:ListResourceSharePermissions",
"ram:ListResources",
"ram:RejectResourceShareInvitation",
"ram:TagResource",
"ram:UntagResource",
"ram:UpdateResourceShare"
]
output = get_actions_for_service("ram")
# print(json.dumps(output, indent=4))
self.maxDiff = None
self.assertListEqual(desired_output, output)
def example():
print("connected to db")
actions = get_actions_for_service(
'cloud9'
) # Then you can leverage any method that requires access to the database.
print(actions)
actions = get_actions_with_access_level('s3', 'Permissions management')
print(actions)
def test_gh_226_elasticloadbalancing_v1_and_v2(self):
"""Test that elasticloadbalancing combines v1 and v2"""
results = get_actions_for_service("elasticloadbalancing")
# print(json.dumps(results, indent=4))
lb_v1_only_action = "elasticloadbalancing:CreateTargetGroup"
lb_v2_only_action = "elasticloadbalancing:SetSecurityGroups"
self.assertTrue(lb_v1_only_action in results)
self.assertTrue(lb_v2_only_action in results)
def test_services_with_multiple_pages_kinesis_analytics(self):
"""Ensure that Kinesis Analytics V1 actions are both present in the ses namespace"""
# Kinesis Analytics V1
results = get_actions_for_service("kinesisanalytics")
actions = [
"kinesisanalytics:GetApplicationState", # Only in v1, not v2
"kinesisanalytics:ListApplications", # In both
]
for action in actions:
self.assertTrue(action in results)
def action_table(name, service, access_level, condition, wildcard_only):
"""Query the Action Table from the Policy Sentry database"""
db_session = connect_db(DATABASE_FILE_PATH)
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes(db_session)
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
results = []
for serv in all_services:
output = get_actions_with_access_level(db_session, serv, level)
results.extend(output)
for result in results:
print(result)
# Get a list of all services in the database
else:
print("All services in the database:\n")
for item in all_services:
print(item)
elif name is None and access_level:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(db_session, service, level)
print(json.dumps(output, indent=4))
# Get a list of all IAM actions under the service that support the
# specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(db_session, service,
condition)
print(json.dumps(output, indent=4))
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(
db_session, service)
print(json.dumps(output, indent=4))
elif name and access_level is None:
output = get_action_data(db_session, service, name)
print(json.dumps(output, indent=4))
else:
print(f"All IAM actions available to {service}:")
# Get a list of all IAM Actions available to the service
action_list = get_actions_for_service(db_session, service)
print(f"ALL {service} actions:")
for item in action_list:
print(item)
def example():
db_session = connect_db(
'bundled'
) # This is the critical line. You just need to specify `'bundled'` as the parameter.
print("connected to db")
actions = get_actions_for_service(
db_session, 'cloud9'
) # Then you can leverage any method that requires access to the database.
print(actions)
actions = get_actions_with_access_level(db_session, 's3',
'Permissions management')
print(actions)
def test_get_actions_for_service(self):
"""test_get_actions_for_service: Tests function that gets a list of actions per AWS service."""
desired_output = [
'ram:acceptresourceshareinvitation', 'ram:associateresourceshare',
'ram:associateresourcesharepermission', 'ram:createresourceshare',
'ram:deleteresourceshare', 'ram:disassociateresourceshare',
'ram:disassociateresourcesharepermission',
'ram:enablesharingwithawsorganization', 'ram:getpermission',
'ram:getresourcepolicies', 'ram:getresourceshareassociations',
'ram:getresourceshareinvitations', 'ram:getresourceshares',
'ram:listpendinginvitationresources', 'ram:listpermissions',
'ram:listprincipals', 'ram:listresourcesharepermissions',
'ram:listresources', 'ram:rejectresourceshareinvitation',
'ram:tagresource', 'ram:untagresource', 'ram:updateresourceshare'
]
output = get_actions_for_service(db_session, "ram")
self.maxDiff = None
self.assertListEqual(desired_output, output)
def test_services_with_multiple_pages_lex(self):
"""Ensure that lex v1 and lex v2 actions are both present in the lex namespace"""
# Lex V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html
self.assertTrue("lex:DeleteUtterances" in self.all_actions)
# Lex V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html
self.assertTrue("lex:ListBotLocales" in self.all_actions)
results = get_actions_for_service("lex")
actions = [
"lex:CreateIntentVersion",
"lex:CreateSlotTypeVersion",
"lex:DeleteBotChannelAssociation",
"lex:DeleteIntentVersion",
"lex:DeleteSlotTypeVersion",
"lex:GetBot",
"lex:GetBotAlias",
"lex:GetBotAliases",
"lex:GetBotChannelAssociation",
"lex:GetBotChannelAssociations",
"lex:GetBotVersions",
"lex:GetBots",
"lex:GetBuiltinIntent",
"lex:GetBuiltinIntents",
"lex:GetBuiltinSlotTypes",
"lex:GetExport",
"lex:GetImport",
"lex:GetIntent",
"lex:GetIntentVersions",
"lex:GetIntents",
"lex:GetMigration",
"lex:GetMigrations",
"lex:GetSlotType",
"lex:GetSlotTypeVersions",
"lex:GetSlotTypes",
"lex:GetUtterancesView",
"lex:PostContent",
"lex:PostText",
"lex:PutBot",
"lex:PutBotAlias",
"lex:PutIntent",
"lex:PutSlotType",
"lex:StartMigration",
]
for action in actions:
self.assertTrue(action in results)
def query_action_table(name,
service,
access_level,
condition,
wildcard_only,
fmt="json"):
"""Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not wildcard_only:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and wildcard_only:
print(
f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_at_access_level_that_support_wildcard_arns_only(
service, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif wildcard_only:
print(
f"IAM actions under {service} service that support wildcard resource values only:"
)
output = get_actions_that_support_wildcard_arns_only(service)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.actions import get_actions_for_service
import json
if __name__ == '__main__':
db_session = connect_db('bundled')
output = get_actions_for_service(db_session, 'cloud9')
print(json.dumps(output, indent=4))
"""
Output:
[
'ram:acceptresourceshareinvitation',
'ram:associateresourceshare',
'ram:createresourceshare',
'ram:deleteresourceshare',
'ram:disassociateresourceshare',
'ram:enablesharingwithawsorganization',
'ram:rejectresourceshareinvitation',
'ram:updateresourceshare'
]
"""
def test_services_with_multiple_pages_ses(self):
"""Ensure that ses v1 and ses v2 actions are both present in the ses namespace"""
# SES V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html
self.assertTrue("ses:PutIdentityPolicy" in self.all_actions)
# SES V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html
self.assertTrue("ses:ListImportJobs" in self.all_actions)
results = get_actions_for_service("ses")
actions = [
"ses:CloneReceiptRuleSet",
"ses:CreateConfigurationSetTrackingOptions",
"ses:CreateReceiptFilter",
"ses:CreateReceiptRule",
"ses:CreateReceiptRuleSet",
"ses:CreateTemplate",
"ses:DeleteConfigurationSetTrackingOptions",
"ses:DeleteIdentity",
"ses:DeleteIdentityPolicy",
"ses:DeleteReceiptFilter",
"ses:DeleteReceiptRule",
"ses:DeleteReceiptRuleSet",
"ses:DeleteTemplate",
"ses:DeleteVerifiedEmailAddress",
"ses:DescribeActiveReceiptRuleSet",
"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRule",
"ses:DescribeReceiptRuleSet",
"ses:GetAccountSendingEnabled",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityPolicies",
"ses:GetIdentityVerificationAttributes",
"ses:GetSendQuota",
"ses:GetSendStatistics",
"ses:GetTemplate",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"ses:ListReceiptFilters",
"ses:ListReceiptRuleSets",
"ses:ListTemplates",
"ses:ListVerifiedEmailAddresses",
"ses:PutIdentityPolicy",
"ses:ReorderReceiptRuleSet",
"ses:SendBounce",
"ses:SendBulkTemplatedEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SetActiveReceiptRuleSet",
"ses:SetIdentityDkimEnabled",
"ses:SetIdentityFeedbackForwardingEnabled",
"ses:SetIdentityHeadersInNotificationsEnabled",
"ses:SetIdentityMailFromDomain",
"ses:SetIdentityNotificationTopic",
"ses:SetReceiptRulePosition",
"ses:TestRenderTemplate",
"ses:UpdateAccountSendingEnabled",
"ses:UpdateConfigurationSetReputationMetricsEnabled",
"ses:UpdateConfigurationSetSendingEnabled",
"ses:UpdateConfigurationSetTrackingOptions",
"ses:UpdateReceiptRule",
"ses:UpdateTemplate",
"ses:VerifyDomainDkim",
"ses:VerifyDomainIdentity",
"ses:VerifyEmailAddress",
"ses:VerifyEmailIdentity",
]
for action in actions:
self.assertTrue(action in results)
#!/usr/bin/env python
from policy_sentry.querying.actions import get_actions_for_service
import json
if __name__ == '__main__':
output = get_actions_for_service('cloud9')
print(json.dumps(output, indent=4))
"""
Output:
[
'ram:acceptresourceshareinvitation',
'ram:associateresourceshare',
'ram:createresourceshare',
'ram:deleteresourceshare',
'ram:disassociateresourceshare',
'ram:enablesharingwithawsorganization',
'ram:rejectresourceshareinvitation',
'ram:updateresourceshare'
]
"""
def test_services_with_multiple_pages_aws_marketplace(self):
"""Ensure that aws-marketplace actions from all the different aws-marketplace SAR pages are present in the IAM definition."""
# Overlap: AWS Marketplace, Marketplace Catalog, and AWS Marketplace Entitlement service, AWS Marketplace Image Building Service, AWS Marketplace Metering Service, AWS Marketplace Private Marketplace, and AWS Marketplace Procurement Systems
# AWS Marketplace: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html
self.assertTrue("aws-marketplace:AcceptAgreementApprovalRequest" in
self.all_actions)
# AWS Marketplace Catalog: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecatalog.html
self.assertTrue("aws-marketplace:CancelChangeSet" in self.all_actions)
# AWS Marketplace Entitlement Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceentitlementservice.html
self.assertTrue("aws-marketplace:GetEntitlements" in self.all_actions)
# AWS Marketplace Image Building Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceimagebuildingservice.html
self.assertTrue("aws-marketplace:DescribeBuilds" in self.all_actions)
# AWS Marketplace Metering Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemeteringservice.html
self.assertTrue("aws-marketplace:BatchMeterUsage" in self.all_actions)
# AWS Marketplace Private Marketplace: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceprivatemarketplace.html
self.assertTrue(
"aws-marketplace:AssociateProductsWithPrivateMarketplace" in
self.all_actions)
# AWS Marketplace Procurement Systems: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceprocurementsystemsintegration.html
self.assertTrue(
"aws-marketplace:DescribeProcurementSystemConfiguration" in
self.all_actions)
results = get_actions_for_service("aws-marketplace")
actions = [
"aws-marketplace:AcceptAgreementApprovalRequest",
"aws-marketplace:BatchMeterUsage",
"aws-marketplace:CancelAgreementRequest",
"aws-marketplace:CancelChangeSet",
"aws-marketplace:CompleteTask",
"aws-marketplace:DescribeAgreement",
"aws-marketplace:DescribeBuilds",
"aws-marketplace:DescribeChangeSet",
"aws-marketplace:DescribeEntity",
"aws-marketplace:DescribeProcurementSystemConfiguration",
"aws-marketplace:DescribeTask",
"aws-marketplace:GetAgreementApprovalRequest",
"aws-marketplace:GetAgreementRequest",
"aws-marketplace:GetAgreementTerms",
"aws-marketplace:GetEntitlements",
"aws-marketplace:ListAgreementApprovalRequests",
"aws-marketplace:ListAgreementRequests",
"aws-marketplace:ListBuilds",
"aws-marketplace:ListChangeSets",
"aws-marketplace:ListEntities",
"aws-marketplace:ListTasks",
"aws-marketplace:MeterUsage",
"aws-marketplace:PutProcurementSystemConfiguration",
"aws-marketplace:RegisterUsage",
"aws-marketplace:RejectAgreementApprovalRequest",
"aws-marketplace:ResolveCustomer",
"aws-marketplace:SearchAgreements",
"aws-marketplace:StartBuild",
"aws-marketplace:StartChangeSet",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe",
"aws-marketplace:UpdateAgreementApprovalRequest",
"aws-marketplace:UpdateTask",
"aws-marketplace:ViewSubscriptions",
]
for action in actions:
self.assertTrue(action in results)
def test_other_iam_data_fixes_in_GH_393(self):
"""Other missing actions from GH #393"""
# Cassandra: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkeyspacesforapachecassandra.html
results = get_actions_for_service("cassandra")
self.assertTrue("cassandra:Restore" in results)
# Comprehend Medical: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html
results = get_actions_for_service("comprehendmedical")
# print(results)
actions = [
"comprehendmedical:DescribeEntitiesDetectionV2Job",
"comprehendmedical:DescribeICD10CMInferenceJob",
"comprehendmedical:DescribePHIDetectionJob",
"comprehendmedical:DescribeRxNormInferenceJob",
# "comprehendmedical:DescribeSNOMEDCTInferenceJob", # Not in SAR
"comprehendmedical:DetectEntitiesV2",
"comprehendmedical:InferICD10CM",
"comprehendmedical:InferRxNorm",
# "comprehendmedical:InferSNOMEDCT", # Not in SAR
"comprehendmedical:ListEntitiesDetectionV2Jobs",
"comprehendmedical:ListICD10CMInferenceJobs",
"comprehendmedical:ListPHIDetectionJobs",
"comprehendmedical:ListRxNormInferenceJobs",
# "comprehendmedical:ListSNOMEDCTInferenceJobs", # Not in SAR
"comprehendmedical:StartEntitiesDetectionV2Job",
"comprehendmedical:StartICD10CMInferenceJob",
"comprehendmedical:StartPHIDetectionJob",
"comprehendmedical:StartRxNormInferenceJob",
"comprehendmedical:StopEntitiesDetectionV2Job",
"comprehendmedical:StopICD10CMInferenceJob",
]
for action in actions:
# if action not in results:
# print(action)
self.assertTrue(action in results)
# Compute Optimizer
results = get_actions_for_service("compute-optimizer")
actions = [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:ExportEBSVolumeRecommendations",
"compute-optimizer:ExportLambdaFunctionRecommendations",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetEnrollmentStatusesForOrganization",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences",
]
for action in actions:
self.assertTrue(action in results)
# DataSync
results = get_actions_for_service("datasync")
actions = [
"datasync:UpdateLocationNfs",
"datasync:UpdateLocationObjectStorage",
"datasync:UpdateLocationSmb", "datasync:UpdateTaskExecution"
]
for action in actions:
self.assertTrue(action in results)
# Account Management
results = get_actions_for_service("account")
actions = [
"account:DeleteAlternateContact",
"account:GetAlternateContact",
"account:PutAlternateContact",
]
for action in actions:
self.assertTrue(action in results)
# AWS IAM Access Analyzer
results = get_actions_for_service("access-analyzer")
actions = [
"access-analyzer:CancelPolicyGeneration",
"access-analyzer:CreateAccessPreview",
"access-analyzer:GetAccessPreview",
"access-analyzer:GetGeneratedPolicy",
"access-analyzer:ListAccessPreviewFindings",
"access-analyzer:ListAccessPreviews",
"access-analyzer:ListPolicyGenerations",
"access-analyzer:StartPolicyGeneration",
"access-analyzer:ValidatePolicy",
]
for action in actions:
self.assertTrue(action in results)
# Elemental Activations
results = get_actions_for_service("elemental-activations")
actions = [
"elemental-activations:CompleteAccountRegistration",
"elemental-activations:StartAccountRegistration"
]
for action in actions:
self.assertTrue(action in results)
# OpenSearch
results = get_actions_for_service("es")
actions = [
"es:DescribeDomainChangeProgress",
]
for action in actions:
self.assertTrue(action in results)
# Location
results = get_actions_for_service("geo")
actions = [
"geo:CalculateRouteMatrix",
]
for action in actions:
self.assertTrue(action in results)
# Amazon Managed Grafana
results = get_actions_for_service("grafana")
actions = [
"grafana:DescribeWorkspaceAuthentication",
"grafana:UpdateWorkspaceAuthentication",
]
for action in actions:
self.assertTrue(action in results)
# EC2 Image Builder
results = get_actions_for_service("imagebuilder")
actions = [
"imagebuilder:ImportVmImage",
]
for action in actions:
self.assertTrue(action in results)
# Timestream
results = get_actions_for_service("timestream")
actions = [
"timestream:CreateScheduledQuery",
"timestream:DeleteScheduledQuery",
"timestream:DescribeScheduledQuery",
"timestream:ExecuteScheduledQuery",
"timestream:ListScheduledQueries",
"timestream:UpdateScheduledQuery",
]
for action in actions:
self.assertTrue(action in results)
# AWS Transfer Family
results = get_actions_for_service("transfer")
actions = [
"transfer:CreateAccess",
"transfer:CreateWorkflow",
"transfer:DeleteAccess",
"transfer:DeleteWorkflow",
"transfer:DescribeAccess",
"transfer:DescribeExecution",
"transfer:DescribeWorkflow",
"transfer:ListAccesses",
"transfer:ListExecutions",
"transfer:ListWorkflows",
"transfer:SendWorkflowStepState",
"transfer:UpdateAccess",
]
for action in actions:
self.assertTrue(action in results)
def test_get_actions_for_invalid_service(self):
"""querying.actions.get_actions_for_service
for invalid service
"""
output = get_actions_for_service("invalid_service")
self.assertListEqual([], output)
def test_services_with_multiple_pages_greengrass(self):
"""Ensure that greengrass v1 and greengrass v2 actions are both present in the greengrass namespace"""
# Greengrass V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrass.html
self.assertTrue(
"greengrass:CreateResourceDefinition" in self.all_actions)
# Greengrass V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrassv2.html
self.assertTrue(
"greengrass:CreateComponentVersion" in self.all_actions)
results = get_actions_for_service("greengrass")
actions = [
"greengrass:AssociateRoleToGroup",
"greengrass:CreateConnectorDefinition",
"greengrass:CreateConnectorDefinitionVersion",
"greengrass:CreateCoreDefinition",
"greengrass:CreateCoreDefinitionVersion",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateDeviceDefinitionVersion",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateFunctionDefinitionVersion",
"greengrass:CreateGroup",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateLoggerDefinitionVersion",
"greengrass:CreateResourceDefinition",
"greengrass:CreateResourceDefinitionVersion",
"greengrass:CreateSoftwareUpdateJob",
"greengrass:CreateSubscriptionDefinition",
"greengrass:CreateSubscriptionDefinitionVersion",
"greengrass:DeleteConnectorDefinition",
"greengrass:DeleteCoreDefinition",
"greengrass:DeleteDeviceDefinition",
"greengrass:DeleteFunctionDefinition", "greengrass:DeleteGroup",
"greengrass:DeleteLoggerDefinition",
"greengrass:DeleteResourceDefinition",
"greengrass:DeleteSubscriptionDefinition",
"greengrass:DisassociateRoleFromGroup", "greengrass:Discover",
"greengrass:GetAssociatedRole",
"greengrass:GetBulkDeploymentStatus",
"greengrass:GetConnectorDefinition",
"greengrass:GetConnectorDefinitionVersion",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetDeploymentStatus", "greengrass:GetDeviceDefinition",
"greengrass:GetDeviceDefinitionVersion",
"greengrass:GetFunctionDefinition",
"greengrass:GetFunctionDefinitionVersion", "greengrass:GetGroup",
"greengrass:GetGroupCertificateAuthority",
"greengrass:GetGroupCertificateConfiguration",
"greengrass:GetGroupVersion", "greengrass:GetLoggerDefinition",
"greengrass:GetLoggerDefinitionVersion",
"greengrass:GetResourceDefinition",
"greengrass:GetResourceDefinitionVersion",
"greengrass:GetSubscriptionDefinition",
"greengrass:GetSubscriptionDefinitionVersion",
"greengrass:GetThingRuntimeConfiguration",
"greengrass:ListBulkDeploymentDetailedReports",
"greengrass:ListBulkDeployments",
"greengrass:ListConnectorDefinitionVersions",
"greengrass:ListConnectorDefinitions",
"greengrass:ListCoreDefinitionVersions",
"greengrass:ListCoreDefinitions",
"greengrass:ListDeviceDefinitionVersions",
"greengrass:ListDeviceDefinitions",
"greengrass:ListFunctionDefinitionVersions",
"greengrass:ListFunctionDefinitions",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListGroupVersions", "greengrass:ListGroups",
"greengrass:ListLoggerDefinitionVersions",
"greengrass:ListLoggerDefinitions",
"greengrass:ListResourceDefinitionVersions",
"greengrass:ListResourceDefinitions",
"greengrass:ListSubscriptionDefinitionVersions",
"greengrass:ListSubscriptionDefinitions",
"greengrass:ResetDeployments", "greengrass:StartBulkDeployment",
"greengrass:StopBulkDeployment",
"greengrass:UpdateConnectorDefinition",
"greengrass:UpdateCoreDefinition",
"greengrass:UpdateDeviceDefinition",
"greengrass:UpdateFunctionDefinition", "greengrass:UpdateGroup",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:UpdateLoggerDefinition",
"greengrass:UpdateResourceDefinition",
"greengrass:UpdateSubscriptionDefinition",
"greengrass:UpdateThingRuntimeConfiguration"
]
for action in actions:
self.assertTrue(action in results)
def query_action_table(name,
service,
access_level,
condition,
resource_type,
fmt="json"):
"""Query the Action Table from the Policy Sentry database.
Use this one when leveraging Policy Sentry as a library."""
if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
logger.info(
f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
)
else:
# Otherwise, leverage the datastore inside the python package
logger.debug("Leveraging the bundled IAM Definition.")
# Actions on all services
if service == "all":
all_services = get_all_service_prefixes()
if access_level:
level = transform_access_level_text(access_level)
print(f"{access_level} actions across ALL services:\n")
output = []
for serv in all_services:
result = get_actions_with_access_level(serv, level)
output.extend(result)
print(yaml.dump(output)) if fmt == "yaml" else [
print(result) for result in output
]
# Get a list of all services in the database
else:
print("All services in the database:\n")
output = all_services
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
elif name is None and access_level and not resource_type:
print(
f"All IAM actions under the {service} service that have the access level {access_level}:"
)
level = transform_access_level_text(access_level)
output = get_actions_with_access_level(service, level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name is None and access_level and resource_type:
print(
f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
)
access_level = transform_access_level_text(access_level)
output = get_actions_with_arn_type_and_access_level(
service, resource_type, access_level)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of all IAM actions under the service that support the specified condition key.
elif condition:
print(
f"IAM actions under {service} service that support the {condition} condition only:"
)
output = get_actions_matching_condition_key(service, condition)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
# Get a list of IAM Actions under the service that only support resources = "*"
# (i.e., you cannot restrict it according to ARN)
elif resource_type:
print(
f"IAM actions under {service} service that have the resource type {resource_type}:"
)
output = get_actions_matching_arn_type(service, resource_type)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
elif name and access_level is None:
output = get_action_data(service, name)
print(yaml.dump(output)) if fmt == "yaml" else [
print(json.dumps(output, indent=4))
]
else:
# Get a list of all IAM Actions available to the service
output = get_actions_for_service(service)
print(f"ALL {service} actions:")
print(yaml.dump(output)) if fmt == "yaml" else [
print(item) for item in output
]
return output
def example():
actions = get_actions_for_service('cloud9')
print(actions)
actions = get_actions_with_access_level('s3', 'Permissions management')
print(actions)
