def policy(resource): iam_policy = Policy(expand_policy(json.loads(resource["PolicyDocument"]))) action_summary = iam_policy.action_summary() # # These first two checks can technically be skipped and this policy will still return correct # results, but they prevent the more computationally expensive check the majority of the time. # # Check if the policy applies to EC2 resources if "ec2" not in action_summary: return True # Check if the policy grants administrative privileges if not ADMIN_ACTIONS.intersection(action_summary["ec2"]): return True # Get the EC2 actions pertaining specifically to network resources network_actions = set() for statement in iam_policy.statements: # Only check statements granting access if statement.effect != "Allow": continue # Only check actions that are granted on network resources for action in statement.actions: if any(resource in action for resource in NETWORK_RESOURCES): network_actions.add(action) # For all actions that have been granted on network resources, ensure none grant admin access network_actions_summary = categories_for_actions(network_actions) return not any(action in ADMIN_ACTIONS for action in network_actions_summary["ec2"])
def policy(resource): iam_policy = Policy(expand_policy(json.loads(resource['PolicyDocument']))) action_summary = iam_policy.action_summary() # Check if the policy grants any administrative privileges return not any( ADMIN_ACTIONS.intersection(action_summary[service]) for service in action_summary)
def policy(resource): # This policy only applies to resources with an inline policy document if resource['InlinePolicies'] is None: return True for inline_policy in resource['InlinePolicies'].values(): iam_policy = Policy(expand_policy(json.loads(inline_policy))) if is_ec2_admin_policy(iam_policy): return False return True
def test_expand_1(self): expanded_policy = expand_policy(policy=dc(WILDCARD_POLICY_1)) self.assertEqual(expanded_policy, EXPANDED_POLICY_1) policy = { "Statement": { "NotAction": ["ec2:thispermissiondoesntexist"], "Resource": "*", "Effect": "Deny" } } expected_policy = { "Statement": [{ "NotAction": ["ec2:thispermissiondoesntexist"], "Resource": "*", "Effect": "Deny" }] } expanded_policy = expand_policy(policy=dc(policy), expand_deny=False) self.assertEqual(expanded_policy, expected_policy) expanded_policy = expand_policy(policy=dc(policy), expand_deny=True) self.assertEqual(type(expanded_policy['Statement']), list)
def get_permissions_in_policy( policy_dict: Dict[str, Any], warn_unknown_perms: bool = False) -> Tuple[Set[str], Set[str]]: """ Given a set of policies for a role, return a set of all allowed permissions Args: policy_dict warn_unknown_perms Returns tuple set - all permissions allowed by the policies set - all permisisons allowed by the policies not marked with STATEMENT_SKIP_SID """ total_permissions: Set[str] = set() eligible_permissions: Set[str] = set() for policy_name, policy in list(policy_dict.items()): policy = expand_policy(policy=policy, expand_deny=False) if policy else {} for statement in policy.get("Statement"): if statement["Effect"].lower() == "allow": statement_actions = get_actions_from_statement(statement) total_permissions = total_permissions.union(statement_actions) if not ("Sid" in statement and statement["Sid"].startswith(STATEMENT_SKIP_SID)): # No Sid # Sid exists, but doesn't start with STATEMENT_SKIP_SID eligible_permissions = eligible_permissions.union( statement_actions) weird_permissions = total_permissions.difference(all_permissions) if weird_permissions and warn_unknown_perms: logger.warning( "Unknown permissions found: {}".format(weird_permissions)) return total_permissions, eligible_permissions
def test_expand_2(self): expanded_policy = expand_policy(policy=dc(WILDCARD_POLICY_2)) self.assertEqual(expanded_policy, EXPANDED_POLICY_2)