def get_unused_role_policy_attachments(account_policies, principal):
unused_policy_attachments = []
services_last_accessed = list(
map(lambda access_obj: access_obj['ServiceNamespace'],
principal['LastAccessed']))
for managed_policy in principal['AttachedManagedPolicies']:
policy_obj = next(pol for pol in account_policies
if pol['Arn'] == managed_policy['PolicyArn'])
policy_document = next(version
for version in policy_obj['PolicyVersionList']
if version['IsDefaultVersion'])['Document']
if PolicyAnalyzer.is_policy_unused(policy_document,
services_last_accessed):
unused_policy_attachments.append({
"Role":
principal['RoleName'],
"PolicyArn":
managed_policy['PolicyArn']
})
for inline_policy in principal.get('RolePolicyList', []):
if PolicyAnalyzer.is_policy_unused(inline_policy['PolicyDocument'],
services_last_accessed):
unused_policy_attachments.append({
"Role":
principal['RoleName'],
"PolicyArn":
inline_policy['PolicyName']
})
return unused_policy_attachments
def find_unused_policy_attachments(users: list, roles: dict, account_policies: list, account_groups: list, unused_threshold) -> list:
unused_policy_attachments = []
for role in roles:
unused_policy_attachments += get_unused_role_policy_attachments(account_policies, role)
used_group_policy_attachments = []
potential_unused_group_policy_attachments = []
for user in users:
services_in_use = list(map(lambda last_access: last_access['ServiceNamespace'],
filter(lambda last_access: days_from_today(last_access['LastAccessed']) < unused_threshold, user['LastAccessed'])))
user_attached_managed_policies = copy.deepcopy(user['AttachedManagedPolicies'])
for group_name in user['GroupList']:
group_managed_policies = next(g['AttachedManagedPolicies'] for g in account_groups if g['GroupName'] == group_name)
user_attached_managed_policies.extend(list(map(lambda group_policy: {**group_policy, 'Group': group_name}, group_managed_policies)))
for policy_attachment_obj in user_attached_managed_policies:
policy_obj = next(p for p in account_policies if policy_attachment_obj['PolicyArn'] == p['Arn'])
policy_document = next(version for version in policy_obj['PolicyVersionList'] if version['IsDefaultVersion'])['Document']
policy_is_unused = PolicyAnalyzer.is_policy_unused(policy_document, services_in_use)
if policy_attachment_obj.get('Group'):
attachment_id = f'{policy_attachment_obj["PolicyName"]}/{policy_attachment_obj["Group"]}'
if policy_is_unused:
potential_unused_group_policy_attachments.append({**policy_attachment_obj, 'id': attachment_id})
else:
used_group_policy_attachments.append({**policy_attachment_obj, 'id': attachment_id})
elif policy_is_unused:
unused_policy_attachments.append({**policy_attachment_obj, 'User': user['UserName']})
used_group_policy_attachments = {v['id']: v for v in used_group_policy_attachments}
for policy_attachment_obj in potential_unused_group_policy_attachments:
attachment_id = f'{policy_attachment_obj["PolicyName"]}/{policy_attachment_obj["Group"]}'
if attachment_id not in used_group_policy_attachments:
unused_policy_attachments.append(policy_attachment_obj)
used_group_policy_attachments[attachment_id] = "Already added to 'unused_group_policy_attachments'"
return unused_policy_attachments
def _create_simple_user_clusters(self, users, account_groups,
account_policies):
clusters = {
'Admins': {
'Policies': [ADMIN_POLICY_ARN],
'Users': []
},
'ReadOnly': {
'Users': [],
'Policies': [READ_ONLY_ARN]
},
'Powerusers': {
'Users': [],
'Policies': []
}
}
policies_in_use = {}
for user in users:
user_attached_managed_policies = copy.deepcopy(
user['AttachedManagedPolicies'])
for group_name in user['GroupList']:
group_managed_policies = next(g['AttachedManagedPolicies']
for g in account_groups
if g['GroupName'] == group_name)
user_attached_managed_policies.extend(group_managed_policies)
user_attached_managed_policies = list(
set(
map(lambda p: p['PolicyArn'],
user_attached_managed_policies)))
user_attached_managed_policies.sort()
if ADMIN_POLICY_ARN in user_attached_managed_policies:
clusters['Admins']['Users'].append(user['UserName'])
else:
services_in_use = list(
map(
lambda last_access: last_access['ServiceNamespace'],
filter(
lambda last_access: days_from_today(last_access[
'LastAccessed']) < self.unused_threshold,
user['LastAccessed'])))
user_attached_managed_policies_in_use = []
for policy_arn in user_attached_managed_policies:
policy_obj = next(p for p in account_policies
if policy_arn == p['Arn'])
policy_document = next(
version for version in policy_obj['PolicyVersionList']
if version['IsDefaultVersion'])['Document']
policy_in_use = not PolicyAnalyzer.is_policy_unused(
policy_document, services_in_use)
if policy_in_use:
user_attached_managed_policies_in_use.append(
policy_arn)
user_needs_write_access = False
for pol in user_attached_managed_policies_in_use:
if pol not in policies_in_use:
policies_in_use[pol] = 0
policies_in_use[pol] += 1
policy_obj = next(p for p in account_policies
if p['Arn'] == pol)
policy_document = next(
version for version in policy_obj['PolicyVersionList']
if version['IsDefaultVersion'])['Document']
if PolicyAnalyzer.policy_is_write_access(policy_document):
user_needs_write_access = True
break
if user_needs_write_access:
clusters['Powerusers']['Users'].append(user['UserName'])
else:
clusters['ReadOnly']['Users'].append(user['UserName'])
policies_sorted = list({
k: v
for k, v in sorted(policies_in_use.items(),
key=lambda item: -item[1])
}.keys())
clusters['Powerusers']['Policies'] = policies_sorted
return clusters