def test_managed_policy_security_group_permissions(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_SG_MUTATION) } self.assertIs( len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format( len(iamobj.audit_issues))) auditor.check_security_group_permissions(iamobj) self.assertIs( len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format( len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions') self.assertEquals( iamobj.audit_issues[0].notes, 'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]' )
def test_managed_policy_iam_passrole(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_PASSROLE) } self.assertIs( len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format( len(iamobj.audit_issues))) auditor.check_iam_passrole(iamobj) self.assertIs( len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format( len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions') self.assertEquals( iamobj.audit_issues[0].notes, 'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_managed_policy_iam_notresource(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_NOTRESOURCE) } self.assertIs( len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format( len(iamobj.audit_issues))) auditor.check_notresource(iamobj) self.assertIs( len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format( len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Awkward Statement Construction') self.assertEquals(iamobj.audit_issues[0].notes, 'Construct: ["NotResource"]')
def test_issue_on_aws_policy_with_attachment(self): import json config = { 'policy': json.loads(FULL_ADMIN_POLICY_BARE), 'arn': 'arn:aws:iam::aws:policy/TEST', 'attached_users': [], 'attached_roles': ['arn:aws:iam::123456789:role/TEST'], 'attached_groups': [] } auditor = ManagedPolicyAuditor(accounts=['unittest']) policyobj = ManagedPolicyItem(account="TEST_ACCOUNT", name="policy_test", config=config) self.assertIs( len(policyobj.audit_issues), 0, "Managed Policy should have 0 alert but has {}".format( len(policyobj.audit_issues))) auditor.check_star_privileges(policyobj) self.assertIs( len(policyobj.audit_issues), 1, "Managed Policy should have 1 alert but has {}".format( len(policyobj.audit_issues)))
def test_managed_policy_security_group_permissions(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_SG_MUTATION)} self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues))) auditor.check_security_group_permissions(iamobj) self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions') self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]')
def test_managed_policy_iam_notresource(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_NOTRESOURCE)} self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues))) auditor.check_notresource(iamobj) self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Awkward Statement Construction') self.assertEquals(iamobj.audit_issues[0].notes, 'Construct: ["NotResource"]')
def test_managed_policy_iam_passrole(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_PASSROLE)} self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues))) auditor.check_iam_passrole(iamobj) self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions') self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_managed_policy_iam_admin_only(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_ADMIN)} self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues))) auditor.check_iam_star_privileges(iamobj) self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access') self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:*"] Resources: ["someresource"]')
def test_issue_on_aws_policy_with_attachment(self): import json config = { 'policy': json.loads(FULL_ADMIN_POLICY_BARE), 'arn': 'arn:aws:iam::aws:policy/TEST', 'attached_users': [], 'attached_roles': ['arn:aws:iam::123456789:role/TEST'], 'attached_groups': [] } auditor = ManagedPolicyAuditor(accounts=['unittest']) policyobj = ManagedPolicyItem(account="TEST_ACCOUNT", name="policy_test", config=config) self.assertIs(len(policyobj.audit_issues), 0, "Managed Policy should have 0 alert but has {}".format(len(policyobj.audit_issues))) auditor.check_star_privileges(policyobj) self.assertIs(len(policyobj.audit_issues), 1, "Managed Policy should have 1 alert but has {}".format(len(policyobj.audit_issues)))
def test_managed_policy_iam_admin_only(self): import json from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor auditor = ManagedPolicyAuditor(accounts=['unittest']) iamobj = MockIAMObj() iamobj.config = { 'arn': 'arn:iam::aws:policy/', 'policy': json.loads(IAM_ADMIN) } self.assertIs( len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format( len(iamobj.audit_issues))) auditor.check_iam_star_privileges(iamobj) self.assertIs( len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format( len(iamobj.audit_issues))) self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access') self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:*"] Resources: ["someresource"]')