def _assume_role_policy_document(self):
"""Set the assume role policy document"""
if self.principal_type == "Role":
this_document = self.principal_detail.get("AssumeRolePolicyDocument", None)
if this_document:
assume_role_policy_document = AssumeRolePolicyDocument(this_document)
return assume_role_policy_document
else:
return None
else:
return None
def _assume_role_policy_document(self):
"""Set the assume role policy document"""
if self.principal_type == "Role":
this_document = self.principal_detail.get("AssumeRolePolicyDocument", None)
if this_document:
assume_role_policy_document = AssumeRolePolicyDocument(this_document)
return assume_role_policy_document
# For roles, a trust policy is required. I'm simply including an else statement here
# to make Pylint and coverage happy.
else:
return None # pragma: no cover
else:
return None
def test_findings_for_roles_assumable_by_compute_services_ecs_tasks_new(self):
trust_policy_from_compute_service_ecs_tasks = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root",
}
}
]
}
assume_role_policy_document = AssumeRolePolicyDocument(trust_policy_from_compute_service_ecs_tasks)
test_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
}
]
}
policy_document = PolicyDocument(test_policy)
finding = Finding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/TestComputeService",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document
)
# print(finding.role_assumable_by_compute_services)
self.assertListEqual(finding.role_assumable_by_compute_services, ["ecs-tasks"])
role_finding = RoleFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/TestComputeService",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document
)
self.assertListEqual(role_finding.role_assumable_by_compute_services, ["ecs-tasks"])
def __init__(self, role_detail, policy_details):
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The PolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail.get("Path")
self.role_name = role_detail.get("RoleName")
self.role_id = role_detail.get("RoleId")
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed")
# Metadata in object form
if role_detail.get("AssumeRolePolicyDocument"):
self.assume_role_policy_document = AssumeRolePolicyDocument(
role_detail.get("AssumeRolePolicyDocument"))
else:
self.assume_role_policy_document = None
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList")
# Inline Policies
self.inline_policies = {}
if role_detail.get("RolePolicyList"):
for inline_policy in role_detail.get("RolePolicyList"):
non_provider_id = get_non_provider_id(
inline_policy.get("PolicyName"))
self.inline_policies[non_provider_id] = dict(
PolicyName=inline_policy.get("PolicyName"),
PolicyDocument=PolicyDocument(
inline_policy.get("PolicyDocument")),
)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
if role_detail.get("AttachedManagedPolicies"):
self._attached_managed_policies_details(
role_detail.get("AttachedManagedPolicies"), policy_details)
else:
self.attached_managed_policies = []
def __init__(self,
role_detail,
policy_details,
exclusions=DEFAULT_EXCLUSIONS):
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail.get("Path")
self.role_name = role_detail.get("RoleName")
self.role_id = role_detail.get("RoleId")
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed")
self.role_detail = role_detail # just to reference later in debugging
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Metadata in object form
if role_detail.get("AssumeRolePolicyDocument"):
self.assume_role_policy_document = AssumeRolePolicyDocument(
role_detail.get("AssumeRolePolicyDocument"))
else:
self.assume_role_policy_document = None
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList")
# Inline Policies
self.inline_policies = []
if role_detail.get("RolePolicyList"):
self._inline_policies_details(role_detail.get("RolePolicyList"))
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
if role_detail.get("AttachedManagedPolicies"):
self._attached_managed_policies_details(
role_detail.get("AttachedManagedPolicies"), policy_details)
def test_findings_for_roles_assumable_by_compute_services_empty(self):
"""output.findings.role_assumable_by_compute_services"""
trust_policy_from_non_compute_service = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": ["yolo.amazonaws.com"]
}
}
]
}
assume_role_policy_document = AssumeRolePolicyDocument(trust_policy_from_non_compute_service)
test_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
}
]
}
policy_document = PolicyDocument(test_policy)
finding = Finding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/TestComputeService",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document
)
self.assertListEqual(finding.role_assumable_by_compute_services, [])
# print(json.dumps(finding.assume_role_policy_document_json, indent=4))
self.assertDictEqual(finding.assume_role_policy_document_json, trust_policy_from_non_compute_service)
def test_new_findings(self):
"""output.new_findings.Findings"""
self.maxDiff = None
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
}
policy_document = PolicyDocument(test_policy)
# (1) If the user is a member of an excluded group, return True
exclusions_cfg = dict(users=["obama"],
groups=["exclude-group"],
roles=["MyRole"],
policies=["exclude-policy"])
exclusions = Exclusions(exclusions_cfg)
attached_managed_policies = [{
"PolicyArn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess"
}]
# Let's just re-use the same policy for users groups and roles
user_finding = UserFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:user/SomeUser",
actions=["s3:GetObject"],
policy_document=policy_document,
group_membership=["admin"],
attached_managed_policies=attached_managed_policies,
exclusions=exclusions)
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/SomeGroup",
actions=["s3:GetObject"],
policy_document=policy_document,
members=["obama"],
exclusions=exclusions)
trust_policy_from_compute_service_ecs_tasks = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root",
}
}]
}
assume_role_policy_document = AssumeRolePolicyDocument(
trust_policy_from_compute_service_ecs_tasks)
role_finding = RoleFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/SomeRole",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document,
exclusions=exclusions)
policy_finding = PolicyFinding(
policy_name="AWSLambdaFullAccess",
arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess",
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions)
all_findings = Findings(exclusions)
all_findings.add_user_finding(user_finding)
result = all_findings.users[0]
expected_user_result = {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}
self.assertDictEqual(result.json, expected_user_result)
principal_policy_mapping = [
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "AWSLambdaFullAccess",
"GroupMembership": None,
},
{
"Principal": "SomeGroup",
"Type": "Group",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeRole",
"Type": "Role",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
]
all_findings.principal_policy_mapping = principal_policy_mapping
all_findings.add_group_finding(group_finding)
all_findings.add_role_finding(role_finding)
all_findings.add_policy_finding(policy_finding)
print(len(all_findings))
self.assertEqual(len(all_findings), 4)
results = all_findings.json
expected_results = [{
"AccountID": "N/A",
"ManagedBy": "AWS",
"Name": "AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess",
"Type": "Policy",
"Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeGroup",
"PolicyName": "MyPolicy",
"Type": "Group",
"Arn": "arn:aws:iam::123456789012:group/SomeGroup",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeRole",
"PolicyName": "MyPolicy",
"Type": "Role",
"Arn": "arn:aws:iam::123456789012:role/SomeRole",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root"
}
}]
},
"AssumableByComputeService": ["ecs-tasks"],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}]
# print(json.dumps(all_findings.json, indent=4))
self.assertListEqual(results, expected_results)
def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS):
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail.get("Path")
self.role_name = role_detail.get("RoleName")
self.role_id = role_detail.get("RoleId")
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed").get("LastUsedDate")
self.role_detail = role_detail # just to reference later in debugging
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again."
)
self.is_excluded = self._is_excluded(exclusions)
# Metadata in object form
if role_detail.get("AssumeRolePolicyDocument"):
self.assume_role_policy_document = AssumeRolePolicyDocument(role_detail.get("AssumeRolePolicyDocument"))
else:
self.assume_role_policy_document = None
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList")
# Inline Policies
self.inline_policies = []
# If the role itself is NOT excluded, add its inline policies
if not self.is_excluded:
if role_detail.get("RolePolicyList"):
for policy_detail in role_detail.get("RolePolicyList"):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (
exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)
):
inline_policy = InlinePolicy(policy_detail)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
if role_detail.get("AttachedManagedPolicies"):
for policy in role_detail.get("AttachedManagedPolicies"):
arn = policy.get("PolicyArn")
if not (
exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(get_full_policy_path(arn))
or exclusions.is_policy_excluded(get_policy_name(arn))
):
attached_managed_policy_details = policy_details.get_policy_detail(arn)
self.attached_managed_policies.append(attached_managed_policy_details)
def __init__(
self,
role_detail: Dict[str, Any],
policy_details: ManagedPolicyDetails,
exclusions: Exclusions = DEFAULT_EXCLUSIONS,
flag_conditional_statements: bool = False,
flag_resource_arn_statements: bool = False,
) -> None:
"""
Initialize the RoleDetail object.
:param role_detail: Details about a particular Role
:param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
so the role can inherit those attributes
"""
# Metadata
self.path = role_detail["Path"]
self.role_name = role_detail["RoleName"]
self.role_id = role_detail["RoleId"]
self.arn = role_detail.get("Arn")
self.create_date = role_detail.get("CreateDate")
self.tags = role_detail.get("Tags")
self.role_last_used = role_detail.get("RoleLastUsed",
{}).get("LastUsedDate")
self.role_detail = role_detail # just to reference later in debugging
if not isinstance(exclusions, Exclusions):
raise Exception(
"The exclusions provided is not an Exclusions type object. "
"Please supply an Exclusions object and try again.")
self.is_excluded = self._is_excluded(exclusions)
# Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
self.flag_conditional_statements = flag_conditional_statements
self.flag_resource_arn_statements = flag_resource_arn_statements
# Metadata in object form
self.assume_role_policy_document = None
assume_role_policy = role_detail.get("AssumeRolePolicyDocument")
if assume_role_policy:
self.assume_role_policy_document = AssumeRolePolicyDocument(
assume_role_policy)
# TODO: Create a class for InstanceProfileList
self.instance_profile_list = role_detail.get("InstanceProfileList", [])
# Inline Policies
self.inline_policies = []
# If the role itself is NOT excluded, add its inline policies
if not self.is_excluded:
for policy_detail in role_detail.get("RolePolicyList", []):
policy_name = policy_detail.get("PolicyName")
policy_document = policy_detail.get("PolicyDocument")
policy_id = get_non_provider_id(json.dumps(policy_document))
if not (exclusions.is_policy_excluded(policy_name)
or exclusions.is_policy_excluded(policy_id)):
inline_policy = InlinePolicy(
policy_detail,
exclusions=exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=
flag_resource_arn_statements)
self.inline_policies.append(inline_policy)
# Managed Policies (either AWS-managed or Customer managed)
self.attached_managed_policies = []
# If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
if not self.is_excluded:
for policy in role_detail.get("AttachedManagedPolicies", []):
arn = policy.get("PolicyArn")
if not (exclusions.is_policy_excluded(arn)
or exclusions.is_policy_excluded(
get_full_policy_path(arn)) or
exclusions.is_policy_excluded(get_policy_name(arn))):
attached_managed_policy_details = policy_details.get_policy_detail(
arn)
self.attached_managed_policies.append(
attached_managed_policy_details)
