def query_for_changing_iam_things(db_session): actions_that_change_iam = [] iam_permissions_management_actions = get_actions_with_access_level( db_session, 'iam', 'Permissions management') iam_write_actions = get_actions_with_access_level(db_session, 'iam', 'Write') actions_that_change_iam.extend(iam_permissions_management_actions) actions_that_change_iam.extend(iam_write_actions) return actions_that_change_iam
def action_table(name, service, access_level, condition, wildcard_only): """Query the Action Table from the Policy Sentry database""" db_session = connect_db(DATABASE_FILE_PATH) # Actions on all services if service == "all": all_services = get_all_service_prefixes(db_session) if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") results = [] for serv in all_services: output = get_actions_with_access_level(db_session, serv, level) results.extend(output) for result in results: print(result) # Get a list of all services in the database else: print("All services in the database:\n") for item in all_services: print(item) elif name is None and access_level: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(db_session, service, level) print(json.dumps(output, indent=4)) # Get a list of all IAM actions under the service that support the # specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(db_session, service, condition) print(json.dumps(output, indent=4)) # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only( db_session, service) print(json.dumps(output, indent=4)) elif name and access_level is None: output = get_action_data(db_session, service, name) print(json.dumps(output, indent=4)) else: print(f"All IAM actions available to {service}:") # Get a list of all IAM Actions available to the service action_list = get_actions_for_service(db_session, service) print(f"ALL {service} actions:") for item in action_list: print(item)
def example(): print("connected to db") actions = get_actions_for_service( 'cloud9' ) # Then you can leverage any method that requires access to the database. print(actions) actions = get_actions_with_access_level('s3', 'Permissions management') print(actions)
def test_get_actions_with_access_level(self): """querying.actions.get_actions_with_access_level""" desired_output = ['workspaces:CreateTags', 'workspaces:DeleteTags'] output = get_actions_with_access_level( "workspaces", "Tagging" ) self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_all_actions_with_access_level(self): """test_get_all_actions_with_access_level: Get all actions with a given access level""" # list1 elements should be in result list1 = get_actions_with_access_level(db_session, "all", "Permissions management") list2 = ["s3:deleteaccesspointpolicy", "s3:putbucketacl"] self.maxDiff = None print(list1) # decision = list1 contains all elements of list2 using all() decision = all(elem in list1 for elem in list2) print(f"decision is {decision}") self.assertTrue(decision)
def example(): db_session = connect_db( 'bundled' ) # This is the critical line. You just need to specify `'bundled'` as the parameter. print("connected to db") actions = get_actions_for_service( db_session, 'cloud9' ) # Then you can leverage any method that requires access to the database. print(actions) actions = get_actions_with_access_level(db_session, 's3', 'Permissions management') print(actions)
async def _get_policy_sentry_access_level_actions( service: str, access_levels: List[str]) -> List[str]: """Use policy_sentry to get actions corresponding to AWS service and access_levels. TODO(psanders): Move this to a more sensible module :param resource_arn: Resource ARN (or wildcards) of the resource associated with the change :param access_levels: a list of CRUD operations to generate IAM policy statmeents from :return: actions: A list of IAM policy actions """ actions: List[str] = [] for level in access_levels: actions += get_actions_with_access_level(service, level) return actions
def test_get_actions_with_access_level(self): """test_get_actions_with_access_level: Tests function that gets a list of actions in a service under different access levels.""" desired_output = [ 'ram:acceptresourceshareinvitation', 'ram:associateresourceshare', 'ram:createresourceshare', 'ram:deleteresourceshare', 'ram:disassociateresourceshare', 'ram:enablesharingwithawsorganization', 'ram:rejectresourceshareinvitation', 'ram:updateresourceshare' ] output = get_actions_with_access_level(db_session, "ram", "Permissions management") print(output) self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_actions_with_access_level(self): """querying.actions.get_actions_with_access_level""" desired_output = [ "ram:acceptresourceshareinvitation", "ram:associateresourceshare", "ram:createresourceshare", "ram:deleteresourceshare", "ram:disassociateresourceshare", "ram:enablesharingwithawsorganization", "ram:rejectresourceshareinvitation", "ram:updateresourceshare", ] output = get_actions_with_access_level( db_session, "ram", "Permissions management" ) # print(output) self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_actions_with_access_level(self): """querying.actions.get_actions_with_access_level""" desired_output = [ "ram:AcceptResourceShareInvitation", "ram:AssociateResourceShare", "ram:CreateResourceShare", "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:EnableSharingWithAwsOrganization", "ram:RejectResourceShareInvitation", "ram:UpdateResourceShare", ] output = get_actions_with_access_level(db_session, "ram", "Permissions management") # print(output) self.maxDiff = None print(output) self.assertListEqual(desired_output, output)
def query_action_table(name, service, access_level, condition, resource_type, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" if os.path.exists(LOCAL_DATASTORE_FILE_PATH): logger.info( f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/" ) else: # Otherwise, leverage the datastore inside the python package logger.debug("Leveraging the bundled IAM Definition.") # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not resource_type: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and resource_type: print( f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:" ) access_level = transform_access_level_text(access_level) output = get_actions_with_arn_type_and_access_level( service, resource_type, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif resource_type: print( f"IAM actions under {service} service that have the resource type {resource_type}:" ) output = get_actions_matching_arn_type(service, resource_type) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
#!/usr/bin/env python from policy_sentry.shared.database import connect_db from policy_sentry.querying.actions import get_actions_with_access_level import json if __name__ == '__main__': db_session = connect_db('bundled') output = get_actions_with_access_level(db_session, 'all', 'Permissions management') print(json.dumps(output, indent=4)) """ Output: Literally all IAM actions that are at the Permissions management access level """
def query_action_table(name, service, access_level, condition, wildcard_only, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not wildcard_only: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and wildcard_only: print( f"{service} {access_level.upper()} actions that must use wildcards in the resources block:" ) access_level = transform_access_level_text(access_level) output = get_actions_at_access_level_that_support_wildcard_arns_only( service, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
#!/usr/bin/env python from policy_sentry.querying.actions import get_actions_with_access_level import json if __name__ == '__main__': output = get_actions_with_access_level('s3', 'Permissions management') print(json.dumps(output, indent=4)) """ Output: s3:bypassgovernanceretention s3:deleteaccesspointpolicy s3:deletebucketpolicy s3:objectowneroverridetobucketowner s3:putaccesspointpolicy s3:putaccountpublicaccessblock s3:putbucketacl s3:putbucketpolicy s3:putbucketpublicaccessblock s3:putobjectacl s3:putobjectversionacl """
def example(): actions = get_actions_for_service('cloud9') print(actions) actions = get_actions_with_access_level('s3', 'Permissions management') print(actions)