コード例 #1
0
def test_with_invalid_role_managed_policy():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path":
                    "/",
                    "ManagedPolicyArns":
                    ["arn:aws:iam::aws:policy/AdministratorAccess"]
                },
            }
        },
    }

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    resources = pycfmodel.parse(role_props).resources
    rule.invoke(resources, [])

    assert not result.valid
    assert (
        result.failed_rules[0]["reason"] ==
        "Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
    )
    assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
コード例 #2
0
def test_with_invalid_role_inline_policy_fn_if():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path":
                    "/",
                    "Policies": [{
                        "Fn::If": [
                            "IsSandbox",
                            {
                                "PolicyDocument": {
                                    "Statement": [{
                                        "Action":
                                        "sts:AssumeRole",
                                        "Effect":
                                        "Allow",
                                        "Resource":
                                        "arn:aws:iam::325714046698:role/sandbox-secrets-access",
                                    }],
                                    "Version":
                                    "2012-10-17",
                                },
                                "PolicyName": "SandboxSecretsAccessAssumerole",
                            },
                            {
                                "PolicyDocument": {
                                    "Statement": [{
                                        "Action": ["ec2:DeleteVpc"],
                                        "Effect": "Allow",
                                        "Resource": ["*"]
                                    }],
                                    "Version":
                                    "2012-10-17",
                                },
                                "PolicyName":
                                "ProdCredentialStoreAccessPolicy",
                            },
                        ]
                    }],
                },
            }
        },
    }

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.check_managed_policies = Mock()
    resources = pycfmodel.parse(role_props).resources
    rule.invoke(resources, [])
    rule.check_managed_policies.assert_called()

    assert not result.valid
    assert (
        result.failed_rules[0]["reason"] ==
        'Role "RootRole" contains an insecure permission "ec2:DeleteVpc" in policy "ProdCredentialStoreAccessPolicy"'
    )
    assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
コード例 #3
0
def test_with_valid_role_inline_policy(valid_role_inline_policy):
    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.invoke(valid_role_inline_policy)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
コード例 #4
0
def test_with_invalid_role_inline_policy_fn_if():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path":
                    "/",
                    "Policies": [{
                        'Fn::If': [
                            'IsSandbox', {
                                'PolicyDocument': {
                                    'Statement': [{
                                        'Action':
                                        'sts:AssumeRole',
                                        'Effect':
                                        'Allow',
                                        'Resource':
                                        'arn:aws:iam::325714046698:role/sandbox-secrets-access'
                                    }],
                                    'Version':
                                    '2012-10-17'
                                },
                                'PolicyName': 'SandboxSecretsAccessAssumerole'
                            }, {
                                'PolicyDocument': {
                                    'Statement': [{
                                        'Action': ['ec2:DeleteVpc'],
                                        'Effect': 'Allow',
                                        'Resource': ["*"]
                                    }],
                                    'Version':
                                    '2012-10-17'
                                },
                                'PolicyName': 'ProdCredentialStoreAccessPolicy'
                            }
                        ]
                    }]
                }
            }
        }
    }

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.check_managed_policies = Mock()
    resources = pycfmodel.parse(role_props).resources
    rule.invoke(resources)
    rule.check_managed_policies.assert_called()

    assert not result.valid
    assert result.failed_rules[0][
        'reason'] == 'Role "RootRole" contains an insecure permission "ec2:DeleteVpc" in policy "ProdCredentialStoreAccessPolicy"'
    assert result.failed_rules[0]['rule'] == 'IAMRolesOverprivilegedRule'
コード例 #5
0
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.invoke(invalid_role_inline_policy)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'"
    )
コード例 #6
0
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.invoke(invalid_role_managed_policy)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
    )
コード例 #7
0
def test_with_invalid_role_inline_policy_fn_if(
        invalid_role_inline_policy_fn_if):
    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.invoke(invalid_role_inline_policy_fn_if)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'"
    )
コード例 #8
0
def test_with_invalid_role_inline_policy():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path":
                    "/",
                    "Policies": [{
                        "PolicyName": "not_so_chill_policy",
                        "PolicyDocument": {
                            "Version":
                            "2012-10-17",
                            "Statement": [{
                                "Effect":
                                "Allow",
                                "Action": ["ec2:DeleteInternetGateway"],
                                "Resource":
                                "*"
                            }],
                        },
                    }],
                },
            }
        },
    }

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.check_managed_policies = Mock()
    resources = pycfmodel.parse(role_props).resources
    rule.invoke(resources, [])
    rule.check_managed_policies.assert_called()

    assert not result.valid
    assert (
        result.failed_rules[0]["reason"] ==
        'Role "RootRole" contains an insecure permission "ec2:DeleteInternetGateway" in policy "not_so_chill_policy"'
    )
    assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
コード例 #9
0
def test_with_valid_role_inline_policy():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path":
                    "/",
                    "Policies": [{
                        "PolicyName": "chill_policy",
                        "PolicyDocument": {
                            "Version":
                            "2012-10-17",
                            "Statement": [{
                                "Effect": "Allow",
                                "Action": [
                                    "ec2:DescribeInstances",
                                ],
                                "Resource": "*"
                            }]
                        }
                    }]
                }
            }
        }
    }

    resource = pycfmodel.parse(role_props).resources

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)

    rule.check_managed_policies = Mock()

    rule.invoke(resource)
    rule.check_managed_policies.assert_called()

    assert result.valid
    assert len(result.failed_rules) == 0
コード例 #10
0
def test_with_valid_role_managed_policy():
    role_props = {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "RootRole": {
                "Type": "AWS::IAM::Role",
                "Properties": {
                    "Path": "/",
                    "ManagedPolicyArns":
                    ["arn:aws:iam::aws:policy/YadaYadaYada"]
                },
            }
        },
    }

    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.check_inline_policies = Mock()
    resources = pycfmodel.parse(role_props).resources
    rule.invoke(resources, [])
    rule.check_inline_policies.assert_called()

    assert result.valid
    assert len(result.failed_rules) == 0