def test_analyze_by_access_level(self):
"""test_analyze_by_access_level: Test out calling this as a library"""
permissions_management_policy = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect":
"Allow",
"Action": [
# This one is Permissions management
"ecr:SetRepositoryPolicy",
"secretsmanager:DeleteResourcePolicy",
# These ones are not permissions management
"ecr:getrepositorypolicy",
"ecr:describerepositories",
"ecr:listimages",
"ecr:DescribeImages",
],
"Resource":
"*",
},
{
"Sid":
"AllowManageOwnAccessKeys",
"Effect":
"Allow",
"Action": [
# These ones are permissions management
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:UpdateAccessKey",
# This one is not
"iam:ListAccessKeys",
],
"Resource":
"arn:aws:iam::*:user/${aws:username}",
},
],
}
permissions_management_actions = analyze_by_access_level(
db_session, permissions_management_policy,
"permissions-management")
# print(permissions_management_actions)
desired_actions_list = [
"ecr:SetRepositoryPolicy",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:UpdateAccessKey",
"secretsmanager:DeleteResourcePolicy",
]
self.maxDiff = None
self.assertListEqual(permissions_management_actions,
desired_actions_list)
def has_write_access(policy):
"""
Given a policy as a dictionary, determine if the policy grants Permissions management access.
If so, return a list of IAM Actions that grant Permissions management access level. If not, return false.
"""
permissions_management_actions = analyze_by_access_level(
policy, db_session, "permissions-management")
if len(permissions_management_actions) > 0:
return permissions_management_actions
else:
return []
def test_gh_162(self):
"""test_gh_162: Addressing the concern in the Github issue
https://github.com/salesforce/policy_sentry/issues/162"""
permissions_management_policy = {
"Statement": [{
"Action": ["s3:GetObject*", "s3:PutObject*"],
"Effect": "Allow",
"Resource": ["*"]
}],
"Version":
"2012-10-17"
}
print('********* READ ***********')
results = analyze_by_access_level(permissions_management_policy,
"Read")
print(json.dumps(results, indent=4))
# Rather than maintaining a large list as AWS keeps adding new actions,
# just verify that an expanded action exists in the list
self.assertTrue("s3:GetObjectAcl" in results)
print('********* LIST ***********')
results = analyze_by_access_level(permissions_management_policy,
"List")
print(json.dumps(results, indent=4))
self.assertListEqual(results, [])
print('********* WRITE ***********')
results = analyze_by_access_level(permissions_management_policy,
"Write")
print(json.dumps(results, indent=4))
self.assertTrue("s3:PutObjectLegalHold" in results)
print('********* TAGGING ***********')
results = analyze_by_access_level(permissions_management_policy,
"Tagging")
print(json.dumps(results, indent=4))
self.assertTrue("s3:PutObjectTagging" in results)
print('********* PERMISSIONS-MANAGEMENT ***********')
results = analyze_by_access_level(permissions_management_policy,
"Permissions management")
print(json.dumps(results, indent=4))
self.assertTrue("s3:PutObjectAcl" in results)
"Statement": [{
"Effect":
"Allow",
"Action": [
# These ones are Permissions management
"ecr:SetRepositoryPolicy",
"secretsmanager:DeleteResourcePolicy",
"iam:UpdateAccessKey",
# These ones are not permissions management
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
],
"Resource":
"*"
}]
}
permissions_management_actions = analyze_by_access_level(
permissions_management_policy, "Permissions management")
print(json.dumps(permissions_management_actions, indent=4))
"""
Output:
[
'ecr:setrepositorypolicy',
'iam:updateaccesskey',
'secretsmanager:deleteresourcepolicy'
]
"""
"Statement": [{
"Effect":
"Allow",
"Action": [
# These ones are Permissions management
"ecr:SetRepositoryPolicy",
"secretsmanager:DeleteResourcePolicy",
"iam:UpdateAccessKey",
# These ones are not permissions management
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
],
"Resource":
"*"
}]
}
permissions_management_actions = analyze_by_access_level(
db_session, permissions_management_policy, "permissions-management")
print(json.dumps(permissions_management_actions, indent=4))
"""
Output:
[
'ecr:setrepositorypolicy',
'iam:updateaccesskey',
'secretsmanager:deleteresourcepolicy'
]
"""
