def test_auditor_policy_6_conditionals(self):
au = S3Auditor(debug = True)
data = {
'policy': {
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::33333333333:role/Test'
},
'Condition': 'Blah'
}
]
}
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_policy(obj)
# Any policy that has conditions must also have
# either friendly, third party, or unknown access.
# So the length will always be 2 here:
self.assertEquals(len(obj.audit_issues), 2)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
if issue.issue == 'POLICY - This policy has conditions.':
self.assertEquals(issue.score, 3)
self.assertRegexpMatches(issue.issue, "POLICY - This policy has conditions.")
def test_auditor_policy_8_cross_account_third_party(self):
import security_monkey
security_monkey.constants.KNOWN_FRIENDLY_THIRDPARTY_ACCOUNTS = {
'0123456789': 'friendly'
}
au = S3Auditor(debug = True)
data = {
'policy': {
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::0123456789:role/Test'
}
}
]
}
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_policy(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 0)
self.assertRegexpMatches(issue.issue, "POLICY - Friendly Third Party Account Access.")
self.assertEquals(issue.notes, 'friendly')
def test_s3_acls(self):
s3_auditor = S3Auditor(accounts=["012345678910"])
# CONFIG ONE:
s3_auditor.check_acl(self.s3_items[0])
assert len(self.s3_items[0].audit_issues) == 0
# CONFIG TWO:
s3_auditor.check_acl(self.s3_items[1])
assert len(self.s3_items[1].audit_issues) == 1
assert self.s3_items[1].audit_issues[0].score == 10
assert self.s3_items[1].audit_issues[
0].issue == "ACL - Unknown Cross Account Access."
# CONFIG THREE:
s3_auditor.check_acl(self.s3_items[2])
assert len(self.s3_items[2].audit_issues) == 1
assert self.s3_items[2].audit_issues[0].score == 0
assert self.s3_items[2].audit_issues[
0].issue == "ACL - Friendly Account Access."
# CONFIG FOUR:
s3_auditor.check_acl(self.s3_items[3])
assert len(self.s3_items[3].audit_issues) == 1
assert self.s3_items[3].audit_issues[0].score == 0
assert self.s3_items[3].audit_issues[
0].issue == "ACL - Friendly Third Party Access."
def test_auditor_policy_9_cross_account_friendly(self):
friend_name = 'friendly'
from security_monkey.constants import Constants
Constants.account_by_number = MagicMock(return_value=friend_name)
au = S3Auditor(debug = True)
data = {
'policy': {
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::0123456789:role/Test'
}
}
]
}
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_policy(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 0)
self.assertRegexpMatches(issue.issue, "POLICY - Friendly Account Access.")
self.assertRegexpMatches(issue.notes, friend_name)
def __init__(self, accounts=None, alert_accounts=None, debug=False):
self.account_watchers = {}
self.account_alerters = {}
if not alert_accounts:
alert_accounts = accounts
for account in accounts:
self.account_watchers[account] = [
(SQS(accounts=[account], debug=debug), None),
(ELB(accounts=[account], debug=debug), None),
(IAMSSL(accounts=[account], debug=debug), None),
(RDSSecurityGroup(accounts=[account], debug=debug),
RDSSecurityGroupAuditor(accounts=[account], debug=debug)),
(SecurityGroup(accounts=[account], debug=debug),
SecurityGroupAuditor(accounts=[account], debug=debug)),
(S3(accounts=[account],
debug=debug), S3Auditor(accounts=[account], debug=debug)),
(IAMUser(accounts=[account], debug=debug),
IAMUserAuditor(accounts=[account], debug=debug)),
(IAMGroup(accounts=[account], debug=debug), None),
(IAMRole(accounts=[account], debug=debug), None),
(Keypair(accounts=[account], debug=debug), None),
(SNS(accounts=[account],
debug=debug), SNSAuditor(accounts=[account], debug=debug))
]
if account in alert_accounts:
self.account_alerters[account] = Alerter(
watchers_auditors=self.account_watchers[account],
account=account)
def audit_s3(accounts, send_report):
""" Runs auditors/s3 """
accounts = __prep_accounts__(accounts)
au = S3Auditor(accounts=accounts, debug=True)
au.audit_all_objects()
if send_report:
report = au.create_report()
au.email_report(report)
au.save_issues()
db.session.close()
def test_auditor_acl_authenticated_users(self):
au = S3Auditor(debug=True)
data = {
'grants': {
'http://acs.amazonaws.com/groups/global/AuthenticatedUsers':
[
'READ', 'WRITE'
],
},
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_acl(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "ACL - AuthenticatedUsers USED. ")
self.assertEquals(issue.notes, 'READ,WRITE')
def test_auditor_acl_unkown_cross_account_access(self):
au = S3Auditor(debug=True)
data = {
'grants': {
'UNKOWN_ACCOUNT_DOESNT_EXIST':
[
'READ', 'WRITE'
],
},
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_acl(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "ACL - Unknown Cross Account Access.")
self.assertEquals(issue.notes, 'READ,WRITE UNKOWN_ACCOUNT_DOESNT_EXIST')
def find_s3_changes(accounts):
""" Runs watchers/s3"""
accounts = __prep_accounts__(accounts)
cw = S3(accounts=accounts, debug=True)
(items, exception_map) = cw.slurp()
cw.find_changes(current=items, exception_map=exception_map)
# Audit these changed items
items_to_audit = []
for item in cw.created_items + cw.changed_items:
s3_item = S3Item(region=item.region, account=item.account, name=item.name, config=item.new_config)
items_to_audit.append(s3_item)
au = S3Auditor(accounts=accounts, debug=True)
au.audit_these_objects(items_to_audit)
au.save_issues()
cw.save()
db.session.close()
def test_auditor_policy_allow_all(self):
au = S3Auditor(debug = True)
data = {
'policy': {
'Statement': [
{
'Effect': 'Allow',
'Principal': '*'
}
]
}
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_policy(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "POLICY - This Policy Allows Access From Anyone.")
def test_auditor_acl_third_party_access(self):
# "Mocking" out S3_THIRD_PARTY_ACCOUNTS
import security_monkey
security_monkey.constants.S3_THIRD_PARTY_ACCOUNTS = ['TEST_THIRD_PARTY_FRIEND']
au = S3Auditor(debug=True)
data = {
'grants': {
'TEST_THIRD_PARTY_FRIEND':
[
'READ', 'WRITE'
],
},
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_acl(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 0)
self.assertRegexpMatches(issue.issue, "ACL - Friendly Third Party Access.")
self.assertEquals(issue.notes, 'READ,WRITE TEST_THIRD_PARTY_FRIEND')
def test_auditor_policy_7_cross_account_unknown(self):
au = S3Auditor(debug = True)
data = {
'policy': {
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::11111111111:role/Test'
}
}
]
}
}
obj = S3Item(region='test-region', account='test-account', name='test-name', config=data)
au.check_policy(obj)
self.assertEquals(len(obj.audit_issues), 1)
if len(obj.audit_issues) == 1:
for issue in obj.audit_issues:
self.assertEquals(issue.score, 10)
self.assertRegexpMatches(issue.issue, "POLICY - Unknown Cross Account Access")
self.assertRegexpMatches(issue.notes, 'Account ID: 11111111111 ARN: arn:aws:iam::11111111111:role/Test')
def test_check_policy_exists(self):
auditor = S3Auditor(accounts=['012345678910'])
auditor.check_policy_exists(self.s3_items[4])
assert len(self.s3_items[4].audit_issues) == 1
assert self.s3_items[4].audit_issues[0].score == 0
assert self.s3_items[4].audit_issues[0].issue == "POLICY - No Policy."
def test_s3_acls(self):
s3_auditor = S3Auditor(accounts=["012345678910"])
s3_auditor.prep_for_audit()
# CONFIG ONE:
self.run_acl_checks(s3_auditor, self.s3_items[0])
assert len(self.s3_items[0].audit_issues) == 0
# CONFIG TWO:
item = self.s3_items[1]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 10
assert item.audit_issues[0].issue == "Unknown Access"
assert item.audit_issues[
0].notes == "Entity: [ACL:34589673489752397023749287uiouwshjksdhfdjkshfdjkshf2381] Actions: [\"FULL_CONTROL\"]"
# CONFIG THREE:
item = self.s3_items[2]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 0
assert item.audit_issues[0].issue == "Friendly Cross Account"
assert item.audit_issues[
0].notes == "Account: [012345678911/TEST_ACCOUNT2] Entity: [ACL:lksdjfilou32890u47238974189237euhuu128937192837189uyh1hr3] Actions: [\"FULL_CONTROL\"]"
# CONFIG FOUR:
item = self.s3_items[3]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 0
assert item.audit_issues[0].issue == "Thirdparty Cross Account"
assert item.audit_issues[
0].notes == "Account: [012345678912/TEST_ACCOUNT3] Entity: [ACL:dsfhgiouhy23984723789y4riuwhfkajshf91283742389u823723] Actions: [\"FULL_CONTROL\"]"
# CONFIG FIVE:
item = self.s3_items[5]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 10
assert item.audit_issues[0].issue == "Internet Accessible"
assert item.audit_issues[
0].notes == "Account: [AWS/AWS] Entity: [ACL:http://acs.amazonaws.com/groups/global/AllUsers] Actions: [\"READ\"]"
# CONFIG SIX:
item = self.s3_items[6]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 10
assert item.audit_issues[0].issue == "Internet Accessible"
assert item.audit_issues[
0].notes == "Account: [AWS/AWS] Entity: [ACL:http://acs.amazonaws.com/groups/global/AuthenticatedUsers] Actions: [\"READ\"]"
# CONFIG SEVEN:
item = self.s3_items[7]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 0
assert item.audit_issues[0].issue == "Thirdparty Cross Account"
assert item.audit_issues[
0].notes == "Account: [AWS/AWS] Entity: [ACL:http://acs.amazonaws.com/groups/s3/LogDelivery] Actions: [\"READ\"]"
# CONFIG EIGHT:
item = self.s3_items[8]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 0
assert item.audit_issues[0].issue == "Friendly Cross Account"
assert item.audit_issues[
0].notes == "Account: [012345678911/TEST_ACCOUNT2] Entity: [ACL:test_accnt2] Actions: [\"READ\"]"
# CONFIG NINE:
item = self.s3_items[9]
self.run_acl_checks(s3_auditor, item)
assert len(item.audit_issues) == 1
assert item.audit_issues[0].score == 0
assert item.audit_issues[0].issue == "Thirdparty Cross Account"
assert item.audit_issues[
0].notes == "Account: [012345678912/TEST_ACCOUNT3] Entity: [ACL:test_accnt3] Actions: [\"READ\"]"
def pre_test_setup(self):
S3Auditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
self.s3_items = [
# Same Account
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket1",
config=CONFIG_ONE),
# ACL with unknown cross account access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket2",
config=CONFIG_TWO),
# ACL with friendly access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT2",
name="bucket3",
config=CONFIG_THREE),
# ACL with friendly thirdparty access
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT3",
name="bucket4",
config=CONFIG_FOUR),
# Bucket without a policy
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FOUR),
# Bucket with AllUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket5",
config=CONFIG_FIVE),
# Bucket with AuthenticatedUsers
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket6",
config=CONFIG_SIX),
# Bucket with LogDelivery
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket7",
config=CONFIG_SEVEN),
# Bucket with deprecated friendly short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket8",
config=CONFIG_EIGHT),
# Bucket with deprecated thirdparty short s3 name
CloudAuxChangeItem(region="us-east-1",
account="TEST_ACCOUNT",
name="bucket9",
config=CONFIG_NINE)
]
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# SAME Account
account = Account(identifier="012345678910",
name="TEST_ACCOUNT",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT",
third_party=False,
active=True)
account.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="23984723987489237489237489237489uwedfjhdsjklfhksdfh2389"
))
account.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt1"))
# Friendly Account
account2 = Account(identifier="012345678911",
name="TEST_ACCOUNT2",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT2",
third_party=False,
active=True)
account2.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value=
"lksdjfilou32890u47238974189237euhuu128937192837189uyh1hr3"))
account2.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt2"))
# Thirdparty Account
account3 = Account(identifier="012345678912",
name="TEST_ACCOUNT3",
account_type_id=account_type_result.id,
notes="TEST_ACCOUNT3",
third_party=True,
active=True)
account3.custom_fields.append(
AccountTypeCustomValues(
name="canonical_id",
value="dsfhgiouhy23984723789y4riuwhfkajshf91283742389u823723"))
account3.custom_fields.append(
AccountTypeCustomValues(name="s3_name", value="test_accnt3"))
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()