def test_analyze_policies(self):
data = {
"settings": {
"principal_service": ["ec2", "ec2", "lambda"],
"policies": ["default_role_policy"],
"additional_policies": [{
"action": "s3:GetObject",
"resource": "arn:aws:s3:::mybucketname"
}],
}
}
role = Role(data)
actual = []
for analyzed_policy in role.analyze_policies():
for finding in analyzed_policy.findings:
actual.append(str(finding))
expected = [
"RESOURCE_MISMATCH"
" - [{'action': 's3:GetObject', 'required_format': 'arn:*:s3:::*/*'}]"
" - {'actions': ['s3:GetObject'], 'filepath': None}"
]
self.assertEqual(actual, expected)
def test_valid_managed_policy(self):
data = {
"settings": {
"managed_policy_arns": ["AmazonEKSWorkerNodePolicy"]
}
}
role = Role(data)
actual = role.analyze_policies()
expected = []
self.assertEqual(actual, expected)
def test_invalid_managed_policy(self):
data = {"settings": {"managed_policy_arns": ["AdministratorAccess"]}}
role = Role(data)
actual = [str(finding) for finding in role.analyze_policies()]
expected = [
"DENIED_POLICIES"
" - Managed policies are not approved for use"
" - {'managed_policy_arns': ['AdministratorAccess']}"
]
self.assertEqual(actual, expected)
def lambda_handler(event, context=None):
LOGGER.debug(f"event: {event}")
if not event:
LOGGER.error("No event found in request")
return {"result": "UNSUPPORTED"}
role_type = event.get("type")
if role_type != "iam":
return {"result": "UNSUPPORTED"}
stack_name = event.get("stack_name")
account_id = event.get("account_id")
region = event.get("region")
roles = validate_yaml(event.get("roles"))
if not roles:
return {"result": "NON_COMPLIANT"}
all_findings = []
for role_dict in roles:
role = Role(role_dict, region, account_id)
analyzed_polices = role.analyze_policies()
role_findings = []
for analyzed_policy in analyzed_polices:
role_findings.extend(analyzed_policy.findings)
if not role_findings:
findings = simulate_policies(account_id, analyzed_polices)
role_findings.extend(findings)
all_findings.extend(role_findings)
if all_findings:
for finding in all_findings:
LOGGER.error(str(finding))
return {"result": "NON_COMPLIANT"}
output = {
"result": "COMPLIANT",
"roles": roles,
"account_id": account_id,
"region": region,
"stack_name": stack_name,
}
return output