def __init__(self, auth_json, exclusions=DEFAULT_EXCLUSIONS):
self.auth_json = auth_json
if not isinstance(exclusions, Exclusions):
raise Exception(
"For exclusions, please provide an object of the Exclusions type"
)
self.exclusions = exclusions
self.policies = ManagedPolicyDetails(
auth_json.get("Policies", None), exclusions
)
# New Authorization file stuff
self.group_detail_list = GroupDetailList(
auth_json.get("GroupDetailList"), self.policies, exclusions
)
self.user_detail_list = UserDetailList(
auth_json.get("UserDetailList"),
self.policies,
self.group_detail_list,
exclusions,
)
self.role_detail_list = RoleDetailList(
auth_json.get("RoleDetailList"), self.policies, exclusions
)
def __init__(
self,
auth_json: Dict[str, List[Dict[str, Any]]],
exclusions: Exclusions = DEFAULT_EXCLUSIONS,
flag_conditional_statements: bool = False,
flag_resource_arn_statements: bool = False,
) -> None:
"""
Object to hold and analyze Account Authorization details.
:param auth_json: the JSON response of the aws iam get-account-authorization-details command
:param exclusions: A list of exclusions to apply to the results
:param flag_conditional_statements: Flag IAM statements with conditions, not just wildcards
:param flag_resource_arn_statements: Flag IAM statements with resource ARN restrictions, not just wildcards
"""
self.auth_json = auth_json
if not isinstance(exclusions, Exclusions):
raise Exception(
"For exclusions, please provide an object of the Exclusions type"
)
self.exclusions = exclusions
self.flag_conditional_statements = flag_conditional_statements
self.flag_resource_arn_statements = flag_resource_arn_statements
self.policies = ManagedPolicyDetails(
auth_json.get("Policies", []),
exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=flag_resource_arn_statements)
# New Authorization file stuff
self.group_detail_list = GroupDetailList(
auth_json.get("GroupDetailList", []),
self.policies,
exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=flag_resource_arn_statements)
self.user_detail_list = UserDetailList(
auth_json.get("UserDetailList", []),
self.policies,
self.group_detail_list,
exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=flag_resource_arn_statements)
self.role_detail_list = RoleDetailList(
auth_json.get("RoleDetailList", []),
self.policies,
exclusions,
flag_conditional_statements=flag_conditional_statements,
flag_resource_arn_statements=flag_resource_arn_statements)
def test_role_details_infra_mod_actions(self):
role_details_json_input = auth_details_json["RoleDetailList"]
policy_details = ManagedPolicyDetails(
auth_details_json.get("Policies"))
role_detail_list = RoleDetailList(role_details_json_input,
policy_details)
results = role_detail_list.all_infrastructure_modification_actions_by_inline_policies
expected_results = [
"ec2:AssociateIamInstanceProfile",
"ec2:DisassociateIamInstanceProfile",
"iam:AddRoleToInstanceProfile", "iam:CreateAccessKey",
"iam:CreateInstanceProfile", "iam:PassRole", "s3:GetObject",
"secretsmanager:GetSecretValue"
]
print(json.dumps(results, indent=4))
self.assertListEqual(results, expected_results)
def __init__(self, auth_json):
self.auth_json = auth_json
self.policies = ManagedPolicyDetails(auth_json.get("Policies", None))
self.user_detail_list = PrincipalTypeDetails(
auth_json.get("UserDetailList", None))
self.group_detail_list = PrincipalTypeDetails(
auth_json.get("GroupDetailList", None))
self.role_detail_list = PrincipalTypeDetails(
auth_json.get("RoleDetailList", None))
self._update_group_membership()
self.findings = Findings()
self.customer_managed_policies_in_use = self._customer_managed_policies_in_use(
)
self.aws_managed_policies_in_use = self._aws_managed_policies_in_use()
# New Authorization file stuff
self.new_group_detail_list = GroupDetailList(
auth_json.get("GroupDetailList"), self.policies)
self.new_user_detail_list = UserDetailList(
auth_json.get("UserDetailList"), self.policies,
self.new_group_detail_list)
self.new_role_detail_list = RoleDetailList(
auth_json.get("RoleDetailList"), self.policies)