def missing_resource_constraints( self, exclusions: Exclusions = DEFAULT_EXCLUSIONS) -> List[str]: """Return a list of any actions - regardless of access level - allowed by the statement that do not leverage resource constraints.""" if not isinstance(exclusions, Exclusions): raise Exception( # pragma: no cover "The provided exclusions is not the Exclusions object type. " "Please use the Exclusions object.") actions_missing_resource_constraints = [] if len(self.resources) == 1 and self.resources[0] == "*": actions_missing_resource_constraints = self.restrictable_actions return exclusions.get_allowed_actions( actions_missing_resource_constraints)
def test_new_exclusions_approach(self): exclusions_cfg = { "policies": ["aws-service-role*"], "roles": ["aws-service-role*"], "users": [""], "include-actions": ["s3:GetObject"], "exclude-actions": ["kms:Decrypt"] } exclusions = Exclusions(exclusions_cfg) test_actions_list = [ "s3:GetObject", "kms:decrypt", "ssm:GetParameter", "ec2:DescribeInstances" ] result = exclusions.get_allowed_actions(test_actions_list) self.assertListEqual( result, ['s3:GetObject', 'ssm:GetParameter', 'ec2:DescribeInstances'])
def missing_resource_constraints( self, exclusions: Exclusions = DEFAULT_EXCLUSIONS) -> List[str]: """Return a list of any actions - regardless of access level - allowed by the statement that do not leverage resource constraints.""" if not isinstance(exclusions, Exclusions): raise Exception( # pragma: no cover "The provided exclusions is not the Exclusions object type. " "Please use the Exclusions object.") actions_missing_resource_constraints = [] if len(self.resources) == 1 and self.resources[0] == "*": actions_missing_resource_constraints = self.restrictable_actions # Fix #390 - if flag_resource_arn_statements is True, then let's treat this as missing resource constraints so we can flag the action anyway. elif self.flag_resource_arn_statements: actions_missing_resource_constraints = self.restrictable_actions else: pass result = exclusions.get_allowed_actions( actions_missing_resource_constraints) result.sort() return result