def _assume_role_policy_document(self): """Set the assume role policy document""" if self.principal_type == "Role": this_document = self.principal_detail.get("AssumeRolePolicyDocument", None) if this_document: assume_role_policy_document = AssumeRolePolicyDocument(this_document) return assume_role_policy_document else: return None else: return None
def _assume_role_policy_document(self): """Set the assume role policy document""" if self.principal_type == "Role": this_document = self.principal_detail.get("AssumeRolePolicyDocument", None) if this_document: assume_role_policy_document = AssumeRolePolicyDocument(this_document) return assume_role_policy_document # For roles, a trust policy is required. I'm simply including an else statement here # to make Pylint and coverage happy. else: return None # pragma: no cover else: return None
def test_findings_for_roles_assumable_by_compute_services_ecs_tasks_new(self): trust_policy_from_compute_service_ecs_tasks = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::012345678910:root", } } ] } assume_role_policy_document = AssumeRolePolicyDocument(trust_policy_from_compute_service_ecs_tasks) test_policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" } ] } policy_document = PolicyDocument(test_policy) finding = Finding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:role/TestComputeService", actions=["s3:GetObject"], policy_document=policy_document, assume_role_policy_document=assume_role_policy_document ) # print(finding.role_assumable_by_compute_services) self.assertListEqual(finding.role_assumable_by_compute_services, ["ecs-tasks"]) role_finding = RoleFinding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:role/TestComputeService", actions=["s3:GetObject"], policy_document=policy_document, assume_role_policy_document=assume_role_policy_document ) self.assertListEqual(role_finding.role_assumable_by_compute_services, ["ecs-tasks"])
def __init__(self, role_detail, policy_details): """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The PolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail.get("Path") self.role_name = role_detail.get("RoleName") self.role_id = role_detail.get("RoleId") self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed") # Metadata in object form if role_detail.get("AssumeRolePolicyDocument"): self.assume_role_policy_document = AssumeRolePolicyDocument( role_detail.get("AssumeRolePolicyDocument")) else: self.assume_role_policy_document = None # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList") # Inline Policies self.inline_policies = {} if role_detail.get("RolePolicyList"): for inline_policy in role_detail.get("RolePolicyList"): non_provider_id = get_non_provider_id( inline_policy.get("PolicyName")) self.inline_policies[non_provider_id] = dict( PolicyName=inline_policy.get("PolicyName"), PolicyDocument=PolicyDocument( inline_policy.get("PolicyDocument")), ) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] if role_detail.get("AttachedManagedPolicies"): self._attached_managed_policies_details( role_detail.get("AttachedManagedPolicies"), policy_details) else: self.attached_managed_policies = []
def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS): """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail.get("Path") self.role_name = role_detail.get("RoleName") self.role_id = role_detail.get("RoleId") self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed") self.role_detail = role_detail # just to reference later in debugging if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Metadata in object form if role_detail.get("AssumeRolePolicyDocument"): self.assume_role_policy_document = AssumeRolePolicyDocument( role_detail.get("AssumeRolePolicyDocument")) else: self.assume_role_policy_document = None # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList") # Inline Policies self.inline_policies = [] if role_detail.get("RolePolicyList"): self._inline_policies_details(role_detail.get("RolePolicyList")) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] if role_detail.get("AttachedManagedPolicies"): self._attached_managed_policies_details( role_detail.get("AttachedManagedPolicies"), policy_details)
def test_findings_for_roles_assumable_by_compute_services_empty(self): """output.findings.role_assumable_by_compute_services""" trust_policy_from_non_compute_service = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": ["yolo.amazonaws.com"] } } ] } assume_role_policy_document = AssumeRolePolicyDocument(trust_policy_from_non_compute_service) test_policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" } ] } policy_document = PolicyDocument(test_policy) finding = Finding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:role/TestComputeService", actions=["s3:GetObject"], policy_document=policy_document, assume_role_policy_document=assume_role_policy_document ) self.assertListEqual(finding.role_assumable_by_compute_services, []) # print(json.dumps(finding.assume_role_policy_document_json, indent=4)) self.assertDictEqual(finding.assume_role_policy_document_json, trust_policy_from_non_compute_service)
def test_new_findings(self): """output.new_findings.Findings""" self.maxDiff = None test_policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] } policy_document = PolicyDocument(test_policy) # (1) If the user is a member of an excluded group, return True exclusions_cfg = dict(users=["obama"], groups=["exclude-group"], roles=["MyRole"], policies=["exclude-policy"]) exclusions = Exclusions(exclusions_cfg) attached_managed_policies = [{ "PolicyArn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess", "PolicyName": "AWSLambdaFullAccess" }] # Let's just re-use the same policy for users groups and roles user_finding = UserFinding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:user/SomeUser", actions=["s3:GetObject"], policy_document=policy_document, group_membership=["admin"], attached_managed_policies=attached_managed_policies, exclusions=exclusions) group_finding = GroupFinding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:group/SomeGroup", actions=["s3:GetObject"], policy_document=policy_document, members=["obama"], exclusions=exclusions) trust_policy_from_compute_service_ecs_tasks = { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["sts:AssumeRole"], "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::012345678910:root", } }] } assume_role_policy_document = AssumeRolePolicyDocument( trust_policy_from_compute_service_ecs_tasks) role_finding = RoleFinding( policy_name="MyPolicy", arn="arn:aws:iam::123456789012:role/SomeRole", actions=["s3:GetObject"], policy_document=policy_document, assume_role_policy_document=assume_role_policy_document, exclusions=exclusions) policy_finding = PolicyFinding( policy_name="AWSLambdaFullAccess", arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess", actions=["s3:GetObject"], policy_document=policy_document, exclusions=exclusions) all_findings = Findings(exclusions) all_findings.add_user_finding(user_finding) result = all_findings.users[0] expected_user_result = { "AccountID": "123456789012", "ManagedBy": "Customer", "Name": "SomeUser", "PolicyName": "MyPolicy", "Type": "User", "Arn": "arn:aws:iam::123456789012:user/SomeUser", "ActionsCount": 1, "ServicesCount": 1, "Services": ["s3"], "Actions": ["s3:GetObject"], "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] }, "AssumeRolePolicyDocument": None, "AssumableByComputeService": [], "PrivilegeEscalation": [], "DataExfiltrationActions": ["s3:GetObject"], "PermissionsManagementActions": [] } self.assertDictEqual(result.json, expected_user_result) principal_policy_mapping = [ { "Principal": "SomeUser", "Type": "User", "PolicyType": "Managed", "ManagedBy": "AWS", "PolicyName": "MyPolicy", "GroupMembership": None, }, { "Principal": "SomeUser", "Type": "User", "PolicyType": "Managed", "ManagedBy": "AWS", "PolicyName": "AWSLambdaFullAccess", "GroupMembership": None, }, { "Principal": "SomeGroup", "Type": "Group", "PolicyType": "Managed", "ManagedBy": "AWS", "PolicyName": "MyPolicy", "GroupMembership": None, }, { "Principal": "SomeRole", "Type": "Role", "PolicyType": "Managed", "ManagedBy": "AWS", "PolicyName": "MyPolicy", "GroupMembership": None, }, ] all_findings.principal_policy_mapping = principal_policy_mapping all_findings.add_group_finding(group_finding) all_findings.add_role_finding(role_finding) all_findings.add_policy_finding(policy_finding) print(len(all_findings)) self.assertEqual(len(all_findings), 4) results = all_findings.json expected_results = [{ "AccountID": "N/A", "ManagedBy": "AWS", "Name": "AWSLambdaFullAccess", "PolicyName": "AWSLambdaFullAccess", "Type": "Policy", "Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess", "ActionsCount": 1, "ServicesCount": 1, "Services": ["s3"], "Actions": ["s3:GetObject"], "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] }, "AssumeRolePolicyDocument": None, "AssumableByComputeService": [], "PrivilegeEscalation": [], "DataExfiltrationActions": ["s3:GetObject"], "PermissionsManagementActions": [] }, { "AccountID": "123456789012", "ManagedBy": "Customer", "Name": "SomeUser", "PolicyName": "MyPolicy", "Type": "User", "Arn": "arn:aws:iam::123456789012:user/SomeUser", "ActionsCount": 1, "ServicesCount": 1, "Services": ["s3"], "Actions": ["s3:GetObject"], "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] }, "AssumeRolePolicyDocument": None, "AssumableByComputeService": [], "PrivilegeEscalation": [], "DataExfiltrationActions": ["s3:GetObject"], "PermissionsManagementActions": [] }, { "AccountID": "123456789012", "ManagedBy": "Customer", "Name": "SomeGroup", "PolicyName": "MyPolicy", "Type": "Group", "Arn": "arn:aws:iam::123456789012:group/SomeGroup", "ActionsCount": 1, "ServicesCount": 1, "Services": ["s3"], "Actions": ["s3:GetObject"], "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] }, "AssumeRolePolicyDocument": None, "AssumableByComputeService": [], "PrivilegeEscalation": [], "DataExfiltrationActions": ["s3:GetObject"], "PermissionsManagementActions": [] }, { "AccountID": "123456789012", "ManagedBy": "Customer", "Name": "SomeRole", "PolicyName": "MyPolicy", "Type": "Role", "Arn": "arn:aws:iam::123456789012:role/SomeRole", "ActionsCount": 1, "ServicesCount": 1, "Services": ["s3"], "Actions": ["s3:GetObject"], "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "*" }] }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["sts:AssumeRole"], "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::012345678910:root" } }] }, "AssumableByComputeService": ["ecs-tasks"], "PrivilegeEscalation": [], "DataExfiltrationActions": ["s3:GetObject"], "PermissionsManagementActions": [] }] # print(json.dumps(all_findings.json, indent=4)) self.assertListEqual(results, expected_results)
def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS): """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail.get("Path") self.role_name = role_detail.get("RoleName") self.role_id = role_detail.get("RoleId") self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed").get("LastUsedDate") self.role_detail = role_detail # just to reference later in debugging if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again." ) self.is_excluded = self._is_excluded(exclusions) # Metadata in object form if role_detail.get("AssumeRolePolicyDocument"): self.assume_role_policy_document = AssumeRolePolicyDocument(role_detail.get("AssumeRolePolicyDocument")) else: self.assume_role_policy_document = None # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList") # Inline Policies self.inline_policies = [] # If the role itself is NOT excluded, add its inline policies if not self.is_excluded: if role_detail.get("RolePolicyList"): for policy_detail in role_detail.get("RolePolicyList"): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not ( exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id) ): inline_policy = InlinePolicy(policy_detail) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: if role_detail.get("AttachedManagedPolicies"): for policy in role_detail.get("AttachedManagedPolicies"): arn = policy.get("PolicyArn") if not ( exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded(get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn)) ): attached_managed_policy_details = policy_details.get_policy_detail(arn) self.attached_managed_policies.append(attached_managed_policy_details)
def __init__( self, role_detail: Dict[str, Any], policy_details: ManagedPolicyDetails, exclusions: Exclusions = DEFAULT_EXCLUSIONS, flag_conditional_statements: bool = False, flag_resource_arn_statements: bool = False, ) -> None: """ Initialize the RoleDetail object. :param role_detail: Details about a particular Role :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account so the role can inherit those attributes """ # Metadata self.path = role_detail["Path"] self.role_name = role_detail["RoleName"] self.role_id = role_detail["RoleId"] self.arn = role_detail.get("Arn") self.create_date = role_detail.get("CreateDate") self.tags = role_detail.get("Tags") self.role_last_used = role_detail.get("RoleLastUsed", {}).get("LastUsedDate") self.role_detail = role_detail # just to reference later in debugging if not isinstance(exclusions, Exclusions): raise Exception( "The exclusions provided is not an Exclusions type object. " "Please supply an Exclusions object and try again.") self.is_excluded = self._is_excluded(exclusions) # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints self.flag_conditional_statements = flag_conditional_statements self.flag_resource_arn_statements = flag_resource_arn_statements # Metadata in object form self.assume_role_policy_document = None assume_role_policy = role_detail.get("AssumeRolePolicyDocument") if assume_role_policy: self.assume_role_policy_document = AssumeRolePolicyDocument( assume_role_policy) # TODO: Create a class for InstanceProfileList self.instance_profile_list = role_detail.get("InstanceProfileList", []) # Inline Policies self.inline_policies = [] # If the role itself is NOT excluded, add its inline policies if not self.is_excluded: for policy_detail in role_detail.get("RolePolicyList", []): policy_name = policy_detail.get("PolicyName") policy_document = policy_detail.get("PolicyDocument") policy_id = get_non_provider_id(json.dumps(policy_document)) if not (exclusions.is_policy_excluded(policy_name) or exclusions.is_policy_excluded(policy_id)): inline_policy = InlinePolicy( policy_detail, exclusions=exclusions, flag_conditional_statements=flag_conditional_statements, flag_resource_arn_statements= flag_resource_arn_statements) self.inline_policies.append(inline_policy) # Managed Policies (either AWS-managed or Customer managed) self.attached_managed_policies = [] # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies if not self.is_excluded: for policy in role_detail.get("AttachedManagedPolicies", []): arn = policy.get("PolicyArn") if not (exclusions.is_policy_excluded(arn) or exclusions.is_policy_excluded( get_full_policy_path(arn)) or exclusions.is_policy_excluded(get_policy_name(arn))): attached_managed_policy_details = policy_details.get_policy_detail( arn) self.attached_managed_policies.append( attached_managed_policy_details)