def download_remote_policies(profile=None,
customer_managed=True,
attached_only=True):
# Credentials profile selection
if profile:
profile = profile
else:
profile = "default"
iam_session = login(profile, "iam")
sts_session = login(profile, "sts")
# Get the account ID for use in folder directory naming
account_id = sts_session.get_caller_identity()["Account"]
# Directory names
policy_file_directory = home + config_directory + 'policy-analysis' + '/' + account_id
customer_managed_policy_file_directory = policy_file_directory + '/' + 'customer-managed'
aws_managed_policy_file_directory = policy_file_directory + '/' + 'aws-managed'
create_directory_if_it_doesnt_exist(policy_file_directory)
create_directory_if_it_doesnt_exist(customer_managed_policy_file_directory)
create_directory_if_it_doesnt_exist(aws_managed_policy_file_directory)
policy_group = PolicyGroup()
policy_group.set_remote_policy_metadata(iam_session, customer_managed,
attached_only)
policy_names = policy_group.get_policy_names()
policy_group.set_remote_policy_documents(iam_session)
# Determine whether we should store it in the customer-managed or aws-managed directory
if customer_managed:
filename_directory = customer_managed_policy_file_directory
else:
filename_directory = aws_managed_policy_file_directory
print("Writing the policy files to " + filename_directory)
print("")
for policy_name in policy_names:
# get the default policy version for that specific policy
document = policy_group.get_policy_document(policy_name)
filename = filename_directory + '/' + policy_name + '.json'
write_json_file(filename, document)
print(
"If you want to analyze the policies, specify the policy file in the analyze-iam-policy command\n"
)
print("The list of policies downloaded are:")
print("")
only_files = list_files_in_directory(filename_directory)
for filename in only_files:
print(filename)
def download_remote_policies(profile=None,
customer_managed=True,
attached_only=True):
"""Download IAM Policies from live accounts to ~/policy_sentry/analysis/account_id/"""
# Credentials profile selection
if profile:
profile = profile
else:
profile = "default"
iam_session = login(profile, "iam")
sts_session = login(profile, "sts")
# Get the account ID for use in folder directory naming
account_id = sts_session.get_caller_identity()["Account"]
# Directory names
policy_file_directory = HOME + CONFIG_DIRECTORY + \
'analysis' + '/' + account_id
customer_managed_policy_file_directory = policy_file_directory + '/' + 'customer-managed'
aws_managed_policy_file_directory = policy_file_directory + '/' + 'aws-managed'
create_directory_if_it_doesnt_exist(policy_file_directory)
create_directory_if_it_doesnt_exist(customer_managed_policy_file_directory)
create_directory_if_it_doesnt_exist(aws_managed_policy_file_directory)
policy_group = PolicyGroup()
policy_group.set_remote_policy_metadata(iam_session, customer_managed,
attached_only)
policy_names = policy_group.get_policy_names()
policy_group.set_remote_policy_documents(iam_session)
# Determine whether we should store it in the customer-managed or
# aws-managed directory
if customer_managed:
filename_directory = customer_managed_policy_file_directory
else:
filename_directory = aws_managed_policy_file_directory
print("Writing the policy files to " + filename_directory)
print("")
for policy_name in policy_names:
# get the default policy version for that specific policy
document = policy_group.get_policy_document(policy_name)
filename = filename_directory + '/' + policy_name + '.json'
write_json_file(filename, document)
print(
"If you want to analyze the policies, just run:\n\npolicy_sentry analyze downloaded-policies"
)
return filename_directory
def write_policy_dir(input_dir, output_dir, crud, minimize):
"""
write_policy, but this time with an input directory of YML/YAML files, and an output directory for all the JSON files
"""
home = str(Path.home())
config_directory = '/.policy_sentry/'
database_file_name = 'aws.sqlite3'
database_path = home + config_directory + database_file_name
db_session = connect_db(database_path)
input_dir = os.path.abspath(input_dir)
output_dir = os.path.abspath(output_dir)
if not crud:
print(
"Warning: If you are using ARNs from Terraform to generate your policies, "
"try using the CRUD functionality instead of the default actions-based policy writing functionality."
)
if not minimize:
print(
"Warning: --minimize option is not set. If the policy is too large, "
"it can hit the AWS IAM Policy character limit. "
"We'll execute as-is, but try using `--minimize 0` functionality "
"for production to optimize policy size.\n")
# Construct the path
# Get the list of files
# Write a list of the names
if not check_valid_file_path(input_dir):
print("Input directory is invalid")
sys.exit()
if not check_valid_file_path(output_dir):
print("Output directory is invalid")
sys.exit()
input_files = glob.glob(str(input_dir + '/*.yml'), recursive=False)
if not input_files:
print(
"Directory is empty or does not have files with *.yml extension. "
"Please check the folder contents and/or extension spelling.")
print("Writing the policy JSON files from " + input_dir + " to " +
output_dir + "...\n")
for yaml_file in input_files:
# Get the name of the file, and strip the extension. This is what the policy name will be
base_name = os.path.basename(yaml_file)
base_name_no_extension = os.path.splitext(
os.path.basename(yaml_file))[0]
cfg = read_yaml_file(yaml_file)
# User supplies file containing resource-specific access levels
if crud:
policy = write_policy_with_access_levels(cfg, db_session, minimize)
# User supplies file containing a list of IAM actions
else:
policy = write_policy_with_actions(cfg, db_session, minimize)
print("Writing policy for " + base_name + '\n')
target_file = str(output_dir + '/' + base_name_no_extension + '.json')
if os.path.exists(target_file):
print(
"Target file for " + base_name_no_extension + '.json' +
" exists in the target directory. Removing it and writing a new file.\n"
)
os.remove(target_file)
write_json_file(target_file, policy)
print("Finished")
