def find_and_mark_inactive(account_number, active_roles):
"""
Mark roles in the account that aren't currently active inactive. Do this by getting all roles in the account and
subtracting the active roles, any that are left are inactive and should be marked thusly.
Args:
account_number (string)
active_roles (set): the currently active roles discovered in the most recent scan
Returns:
None
"""
from repokid.repokid import LOGGER
active_roles = set(active_roles)
known_roles = set(role_ids_for_account(account_number))
inactive_roles = known_roles - active_roles
for roleID in inactive_roles:
role_dict = _get_role_data(roleID, fields=['Active', 'Arn'])
if role_dict['Active']:
try:
DYNAMO_TABLE.update_item(
Key={'RoleId': roleID},
UpdateExpression="SET Active = :false",
ExpressionAttributeValues={":false": False})
except BotoClientError as e:
LOGGER.error('Dynamo table error: {}'.format(e))
else:
LOGGER.info('Marked role ({}): {} inactive'.format(
roleID, role_dict['Arn']))
def apply(self, input_list):
blacklisted_roles = []
for role in input_list:
if role['RoleName'].lower() in self.overridden_role_names:
blacklisted_roles.append(role)
LOGGER.info('{name} in the role blacklist'.format(
name=role['RoleName']))
return blacklisted_roles
def apply(self, input_list):
lambda_roles = []
for role in input_list:
if 'lambda' in str(role['AssumeRolePolicyDocument']).lower():
LOGGER.info('{name} looks like a lambda role.'.format(
name=role['RoleName']))
lambda_roles.append(role)
return list(lambda_roles)
def apply(self, input_list):
now = datetime.datetime.now(tzlocal())
try:
days_delta = self.config['minimum_age']
except KeyError:
LOGGER.info('Minimum age not set in config, using default 90 days')
days_delta = 90
ago = datetime.timedelta(days=days_delta)
too_young = []
for role in input_list:
if role['CreateDate'] > now - ago:
LOGGER.info(
'Role {name} created too recently to cleanup. ({date})'.
format(name=role['RoleName'], date=role['CreateDate']))
too_young.append(role)
return too_young
def update_role_data(role, current_policy):
"""
Compare the current version of a policy for a role and what has been previously stored in Dynamo.
- If current and new policy versions are different store the new version in Dynamo. Add any newly added
permissions to temporary permission blacklist. Purge any old entries from permission blacklist.
- Refresh the updated time on the role policy
- If the role is completely new, store the first version in Dynamo
- Updates the role with full history of policies, including current version
Args:
role (Role): current role being updated
current_policy (dict): representation of the current policy version
Returns:
None
"""
from repokid.repokid import LOGGER
# policy_entry: source, discovered, policy
stored_role = _get_role_data(role.role_id, fields=['Policies'])
if stored_role:
# is the policy list the same as the last we had?
old_policy = _empty_string_from_dynamo_replace(
stored_role['Policies'][-1]['Policy'])
if current_policy != old_policy:
add_new_policy_version(role, current_policy, 'Scan')
LOGGER.info(
'{} has different inline policies than last time, adding to role store'
.format(role.arn))
newly_added_permissions = repokid.repokid._find_newly_added_permissions(
old_policy, current_policy)
else:
newly_added_permissions = set()
update_no_repo_permissions(role, newly_added_permissions)
_refresh_updated_time(role.role_id)
else:
_store_item(role, current_policy)
LOGGER.info('Added new role ({}): {}'.format(role.role_id, role.arn))
role.policies = get_role_data(role.role_id,
fields=['Policies']).get('Policies', [])
def find_and_mark_inactive(active_roles):
"""Mark roles that used to be active but weren't in current role listing inactive"""
from repokid.repokid import CUR_ACCOUNT_NUMBER
from repokid.repokid import LOGGER
active_roles = set(active_roles)
known_roles = set(roles_for_account(CUR_ACCOUNT_NUMBER))
inactive_roles = known_roles - active_roles
for roleID in inactive_roles:
role_dict = _get_role_data(roleID)
if role_dict['Active']:
try:
DYNAMO_TABLE.update_item(
Key={'RoleId': roleID},
UpdateExpression="SET Active = :false",
ExpressionAttributeValues={":false": False})
except BotoClientError as e:
LOGGER.error('Dynamo table error: {}'.format(e))
else:
LOGGER.info('Marked role ({}): {} inactive'.format(
roleID, role_dict['Arn']))
def update_role_data(role_dict):
"""Given role data either add it to the datastore, add a revision of the policies, or refresh updated time"""
from repokid.repokid import LOGGER
# need to convert to (stupid) DynamoDB empty string form
if 'policies' in role_dict:
role_dict['policies'] = _empty_string_to_dynamo_replace(
role_dict['policies'])
# policy_entry: source, discovered, policy
stored_role = _get_role_data(role_dict['RoleId'])
if stored_role:
# is the policy list the same as the last we had?
if not role_dict['policies'] == stored_role['Policies'][-1]['Policy']:
add_new_policy_version(role_dict, 'Scan')
LOGGER.info(
'{} has different inline policies than last time, adding to role store'
.format(role_dict['Arn']))
_refresh_updated_time(role_dict['RoleId'])
else:
_store_item(role_dict)
LOGGER.info('Added new role ({}): {}'.format(role_dict['RoleId'],
role_dict['Arn']))