def policy(resource):
iam_policy = Policy(expand_policy(json.loads(resource["PolicyDocument"])))
action_summary = iam_policy.action_summary()
#
# These first two checks can technically be skipped and this policy will still return correct
# results, but they prevent the more computationally expensive check the majority of the time.
#
# Check if the policy applies to EC2 resources
if "ec2" not in action_summary:
return True
# Check if the policy grants administrative privileges
if not ADMIN_ACTIONS.intersection(action_summary["ec2"]):
return True
# Get the EC2 actions pertaining specifically to network resources
network_actions = set()
for statement in iam_policy.statements:
# Only check statements granting access
if statement.effect != "Allow":
continue
# Only check actions that are granted on network resources
for action in statement.actions:
if any(resource in action for resource in NETWORK_RESOURCES):
network_actions.add(action)
# For all actions that have been granted on network resources, ensure none grant admin access
network_actions_summary = categories_for_actions(network_actions)
return not any(action in ADMIN_ACTIONS
for action in network_actions_summary["ec2"])
def policy(resource):
iam_policy = Policy(expand_policy(json.loads(resource['PolicyDocument'])))
action_summary = iam_policy.action_summary()
# Check if the policy grants any administrative privileges
return not any(
ADMIN_ACTIONS.intersection(action_summary[service])
for service in action_summary)
def policy(resource):
# This policy only applies to resources with an inline policy document
if resource['InlinePolicies'] is None:
return True
for inline_policy in resource['InlinePolicies'].values():
iam_policy = Policy(expand_policy(json.loads(inline_policy)))
if is_ec2_admin_policy(iam_policy):
return False
return True
def test_expand_1(self):
expanded_policy = expand_policy(policy=dc(WILDCARD_POLICY_1))
self.assertEqual(expanded_policy, EXPANDED_POLICY_1)
policy = {
"Statement": {
"NotAction": ["ec2:thispermissiondoesntexist"],
"Resource": "*",
"Effect": "Deny"
}
}
expected_policy = {
"Statement": [{
"NotAction": ["ec2:thispermissiondoesntexist"],
"Resource": "*",
"Effect": "Deny"
}]
}
expanded_policy = expand_policy(policy=dc(policy), expand_deny=False)
self.assertEqual(expanded_policy, expected_policy)
expanded_policy = expand_policy(policy=dc(policy), expand_deny=True)
self.assertEqual(type(expanded_policy['Statement']), list)
def get_permissions_in_policy(
policy_dict: Dict[str, Any],
warn_unknown_perms: bool = False) -> Tuple[Set[str], Set[str]]:
"""
Given a set of policies for a role, return a set of all allowed permissions
Args:
policy_dict
warn_unknown_perms
Returns
tuple
set - all permissions allowed by the policies
set - all permisisons allowed by the policies not marked with STATEMENT_SKIP_SID
"""
total_permissions: Set[str] = set()
eligible_permissions: Set[str] = set()
for policy_name, policy in list(policy_dict.items()):
policy = expand_policy(policy=policy,
expand_deny=False) if policy else {}
for statement in policy.get("Statement"):
if statement["Effect"].lower() == "allow":
statement_actions = get_actions_from_statement(statement)
total_permissions = total_permissions.union(statement_actions)
if not ("Sid" in statement
and statement["Sid"].startswith(STATEMENT_SKIP_SID)):
# No Sid
# Sid exists, but doesn't start with STATEMENT_SKIP_SID
eligible_permissions = eligible_permissions.union(
statement_actions)
weird_permissions = total_permissions.difference(all_permissions)
if weird_permissions and warn_unknown_perms:
logger.warning(
"Unknown permissions found: {}".format(weird_permissions))
return total_permissions, eligible_permissions
def test_expand_2(self):
expanded_policy = expand_policy(policy=dc(WILDCARD_POLICY_2))
self.assertEqual(expanded_policy, EXPANDED_POLICY_2)
