def scan(input, exclusions_file, output, all_access_levels, skip_open_report): # pylint: disable=redefined-builtin
"""
Given the path to account authorization details files and the exclusions config file, scan all inline and
managed policies in the account to identify actions that do not leverage resource constraints.
"""
if exclusions_file:
with open(exclusions_file, "r") as yaml_file:
try:
exclusions_cfg = yaml.safe_load(yaml_file)
except yaml.YAMLError as exc:
logger.critical(exc)
check_exclusions_schema(exclusions_cfg)
if os.path.isfile(input):
scan_account_authorization_file(input, exclusions_cfg, output,
all_access_levels, skip_open_report)
if os.path.isdir(input):
logger.info(
"The path given is a directory. Scanning for account authorization files and generating report."
)
input_files = get_authorization_files_in_directory(input)
for file in input_files:
logger.info(f"Scanning file: {file}")
scan_account_authorization_file(file, exclusions_cfg, output,
all_access_levels,
skip_open_report)
def test_exclusions_error(self):
"""shared.validation.check_exclusions_schema: Make sure an exception is raised if the format is incorrect"""
exclusions_cfg = {
"fake": ["MyRole"],
}
with self.assertRaises(Exception):
check_exclusions_schema(exclusions_cfg)
def __init__(self, exclusions_config=DEFAULT_EXCLUSIONS_CONFIG):
check_exclusions_schema(exclusions_config)
self.config = exclusions_config
self.include_actions = self._include_actions()
self.exclude_actions = self._exclude_actions()
self.roles = self._roles()
self.users = self._users()
self.groups = self._groups()
self.policies = self._policies()
def scan_policy_file(input, exclusions_file, high_priority_only): # pylint: disable=redefined-builtin
"""Scan a single policy file to identify missing resource constraints."""
file = input
# Get the exclusions configuration
with open(exclusions_file, "r") as yaml_file:
try:
exclusions_cfg = yaml.safe_load(yaml_file)
except yaml.YAMLError as exc:
logger.critical(exc)
check_exclusions_schema(exclusions_cfg)
# Get the Policy
with open(file) as json_file:
logger.debug(f"Opening {file}")
policy = json.load(json_file)
policy_name = Path(file).stem
# Run the scan and get the raw data.
results = scan_policy(policy, policy_name, exclusions_cfg)
# There will only be one finding in the results but it is in a list.
for finding in results:
if finding["PrivilegeEscalation"]:
print(f"{RED}Issue found: Privilege Escalation{END}")
for item in finding["PrivilegeEscalation"]:
print(f"- Method: {item['type']}")
print(f" Actions: {', '.join(item['PrivilegeEscalation'])}\n")
if finding["DataExfiltrationActions"]:
print(f"{RED}Issue found: Data Exfiltration{END}")
print(
f"{BOLD}Actions{END}: {', '.join(finding['DataExfiltrationActions'])}\n"
)
if finding["PermissionsManagementActions"]:
print(f"{RED}Issue found: Resource Exposure{END}")
print(
f"{BOLD}Actions{END}: {', '.join(finding['PermissionsManagementActions'])}\n"
)
if not high_priority_only:
print(
f"{RED}Issue found: Unrestricted Infrastructure Modification{END}"
)
print(f"{BOLD}Actions{END}: {', '.join(finding['Actions'])}")
logger = logging.getLogger(__name__)
PACKAGE_DIR = str(
os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir))
)
EXCLUSIONS_FILE = str(os.path.join(PACKAGE_DIR, "shared", "default-exclusions.yml"))
if EXCLUSIONS_FILE:
with open(EXCLUSIONS_FILE, "r") as yaml_file:
try:
DEFAULT_EXCLUSIONS_CONFIG = yaml.safe_load(yaml_file)
except yaml.YAMLError as exc:
logger.critical(exc)
check_exclusions_schema(DEFAULT_EXCLUSIONS_CONFIG)
EXCLUSIONS_TEMPLATE = """# Policy names to exclude from evaluation
# Suggestion: Add policies here that are known to be overly permissive by design, after you run the initial report.
policies:
- "AWSServiceRoleFor*"
- "*ServiceRolePolicy"
- "*ServiceLinkedRolePolicy"
- "AdministratorAccess" # Otherwise, this will take a long time
- "service-role*"
- "aws-service-role*"
# Don't evaluate these roles, users, or groups as part of the evaluation
roles:
- "service-role*"
- "aws-service-role*"
users:
