def test_full_policy_explicit_allow(): policies = { "ListAllow": [{ "action": [ "s3:listobject" "dynamodb:query", ], "resource": [ "*", ], "effect": "Allow", }], "explicitallow": [{ "action": [ "s3:getobject", ], "resource": [ "arn:aws:s3:::testbucket", ], "effect": "Allow", }], } assert permission_relationships.principal_allowed_on_resource( policies, "arn:aws:s3:::testbucket", ["S3:GetObject"], )
def test_full_policy_no_explicit_allow(): policies = { "ListAllow": [{ "action": [ "s3:List*", ], "resource": [ "*", ], "effect": "Allow", }], "PutAllow": [{ "action": [ "s3:Put*", ], "resource": [ "arn:aws:s3:::testbucket", ], "effect": "Allow", }], } assert not permission_relationships.principal_allowed_on_resource( policies, "arn:aws:s3:::testbucket", ["S3:GetObject"], )
def test_full_policy_explicit_deny(): policies = { "fakeallow": [{ "action": [ "s3:*", ], "resource": [ "*", ], "effect": "Allow", }], "fakedeny": [{ "action": [ "s3:*", ], "resource": [ "arn:aws:s3:::testbucket", ], "effect": "Deny", }], } assert not permission_relationships.principal_allowed_on_resource( policies, "arn:aws:s3:::testbucket", ["S3:GetObject"], )
def test_permissions_list(): ### # Tests that the an exception is thrown if the permissions is not a list ### try: assert not permission_relationships.principal_allowed_on_resource( GET_OBJECT_LOWERCASE_RESOURCE_WILDCARD, "arn:aws:s3:::testbucket", "S3:GetObject", ) assert False except ValueError: assert True
def sync_assumerole_relationships( neo4j_session: neo4j.Session, current_aws_account_id: str, aws_update_tag: str, common_job_parameters: Dict, ) -> None: # Must be called after load_role # Computes and syncs the STS_ASSUME_ROLE allow relationship logger.debug("Syncing assume role for account '%s'.", current_aws_account_id) query_potential_matches = """ MATCH (:AWSAccount{id:{AccountId}})-[:RESOURCE]->(target:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(source:AWSPrincipal) WHERE NOT source.arn ENDS WITH 'root' AND NOT source.type = 'Service' AND NOT source.type = 'Federated' RETURN target.arn AS target_arn, source.arn AS source_arn """ ingest_policies_assume_role = """ MATCH (source:AWSPrincipal{arn: {SourceArn}}) WITH source MATCH (role:AWSRole{arn: {TargetArn}}) WITH role, source MERGE (source)-[r:STS_ASSUMEROLE_ALLOW]->(role) ON CREATE SET r.firstseen = timestamp() SET r.lastupdated = {aws_update_tag} """ results = neo4j_session.run( query_potential_matches, AccountId=current_aws_account_id, ) potential_matches = [(r["source_arn"], r["target_arn"]) for r in results] for source_arn, target_arn in potential_matches: policies = get_policies_for_principal(neo4j_session, source_arn) if principal_allowed_on_resource(policies, target_arn, ["sts:AssumeRole"]): neo4j_session.run( ingest_policies_assume_role, SourceArn=source_arn, TargetArn=target_arn, aws_update_tag=aws_update_tag, ) run_cleanup_job( 'aws_import_roles_policy_cleanup.json', neo4j_session, common_job_parameters, )