コード例 #1
0
def get_actions_with_access_level(db_session, service, access_level):
    """
    Get a list of actions in a service under different access levels.

    :param db_session: SQLAlchemy database session object
    :param service: A single AWS service prefix, like `s3` or `kms`
    :param access_level: An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging'

    :return: A list of actions
    """
    actions_list = []
    all_services = get_all_service_prefixes(db_session)
    if service == "all":
        for serv in all_services:
            output = get_actions_with_access_level(db_session, serv, access_level)
            actions_list.extend(output)
    rows = db_session.query(ActionTable).filter(
        and_(
            ActionTable.service.like(service),
            ActionTable.access_level.ilike(access_level),
        )
    )
    # Create a list of actions under each service. Use this list to pass in to the remove_actions_not_matching_access_level function
    # which will give you the list of actions you want.
    for row in rows:
        action = get_full_action_name(row.service, row.name)
        if action not in actions_list:
            actions_list.append(action)
    return actions_list
コード例 #2
0
ファイル: generate.py プロジェクト: ekmixon/aws-allowlister
def validate_services_from_file(services: list):
    valid_aws_services = get_all_service_prefixes()
    for service in services:
        if service not in valid_aws_services:
            raise Exception(
                f"{service} is not a valid AWS service. Please supply a valid AWS service name and try again."
            )
コード例 #3
0
    def service_wildcard(self) -> List[str]:
        """Determine if the policy gives access to all actions within a service - simple grepping"""
        services = set()
        all_service_prefixes = get_all_service_prefixes()

        for statement in self.statements:
            logger.debug("Evaluating statement: %s", statement.json)
            if statement.effect_allow:
                if isinstance(statement.actions, list):
                    for action in statement.actions:
                        # If the action is a straight up *
                        if action == "*":
                            logger.debug(
                                "All actions are allowed by this policy")
                            services.update(all_service_prefixes)
                        # Otherwise, it will take the format of service:*
                        else:
                            service, this_action = action.split(":")
                            # service:*
                            if this_action == "*":
                                services.add(service)
                elif isinstance(statement.actions, str):
                    # If the action is a straight up *
                    if statement.actions == "*":
                        logger.debug("All actions are allowed by this policy")
                        services.update(all_service_prefixes)
                    else:
                        service, this_action = statement.actions.split(":")
                        # service:*
                        if this_action == "*":
                            services.add(service)
        return sorted(services)
コード例 #4
0
ファイル: initialize.py プロジェクト: mbeacom/policy_sentry
def initialize(access_level_overrides_file, fetch, build):
    """
    Initialize the local database to store AWS IAM information, which can be used to generate IAM policies, and for
    querying the database.
    """
    if not access_level_overrides_file:
        overrides_file = HOME + CONFIG_DIRECTORY + 'access-level-overrides.yml'
    else:
        overrides_file = access_level_overrides_file
    # Create the config directory
    database_path = create_policy_sentry_config_directory()

    # Copy over the html docs, which will be used to build the database
    create_html_docs_directory()

    # Create the directory to download IAM policies to
    create_policy_analysis_directory()

    # Create audit directory to host list of permissions for analyze_iam_policy
    create_audit_directory()

    # Create overrides file, which allows us to override the Access Levels
    # provided by AWS documentation
    create_default_overrides_file()

    # Create the default reporting configuration file. This is used by
    # analyze_iam_policy
    create_default_report_config_file()

    if not build and not fetch:
        # copy from the bundled database location to the destination path
        shutil.copy(BUNDLED_DATABASE_FILE_PATH, database_path)

    # Connect to the database at that path with SQLAlchemy
    db_session = connect_db(database_path, initialization=True)

    # --fetch: wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
    # if --build and --fetch are both supplied, just do --fetch
    if fetch:
        # `wget` the html docs to the local directory
        update_html_docs_directory(HTML_DIRECTORY_PATH)
        # Update the links.yml file
        prefix_list = create_service_links_mapping_file(
            HTML_DIRECTORY_PATH, LINKS_YML_FILE_LOCAL)
        print(f"Services: {prefix_list}")

    # initialize --build
    if build or access_level_overrides_file or fetch:
        # Use the list of services that were listed in the links.yml file
        all_aws_services = get_list_of_service_prefixes_from_links_file(
            LINKS_YML_FILE_LOCAL)
        print(f"Services to build for: ${LINKS_YML_FILE_LOCAL}")
        # Fill in the database with data on the AWS services
        create_database(db_session, all_aws_services, overrides_file)
        print("Created tables for all services!")

    # Query the database for all the services that are now in the database.
    all_aws_service_prefixes = get_all_service_prefixes(db_session)
    total_count_of_services = str(len(all_aws_service_prefixes))
    print(f"{total_count_of_services} AWS services in the database. \nServices: {all_aws_service_prefixes}")
コード例 #5
0
def initialize(access_level_overrides_file, fetch, build, log_level):
    """
    Initialize the local database to store AWS IAM information, which can be used to generate IAM policies, and for
    querying the database.
    """
    set_log_level(logger, log_level)

    if not access_level_overrides_file:
        overrides_file = HOME + CONFIG_DIRECTORY + "access-level-overrides.yml"
    else:
        overrides_file = access_level_overrides_file
    # Create the config directory
    database_path = create_policy_sentry_config_directory()

    # Copy over the html docs, which will be used to build the database
    create_html_docs_directory()

    # Create overrides file, which allows us to override the Access Levels
    # provided by AWS documentation
    create_default_overrides_file()

    print("Database will be stored here: %s", database_path)

    if not build and not fetch:
        # copy from the bundled database location to the destination path
        shutil.copy(BUNDLED_DATABASE_FILE_PATH, database_path)

    # Connect to the database at that path with SQLAlchemy
    db_session = connect_db(database_path, initialization=True)

    # --fetch: wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
    # if --build and --fetch are both supplied, just do --fetch
    if fetch:
        # `wget` the html docs to the local directory
        update_html_docs_directory(HTML_DIRECTORY_PATH)
        # Update the links.yml file
        prefix_list = create_service_links_mapping_file(
            HTML_DIRECTORY_PATH, LINKS_YML_FILE_LOCAL)
        print(f"Services: {prefix_list}")

    # initialize --build
    if build or access_level_overrides_file or fetch:
        # Use the list of services that were listed in the links.yml file
        all_aws_services = get_list_of_service_prefixes_from_links_file(
            LINKS_YML_FILE_LOCAL)
        logger.debug("Services to build are stored in: %s",
                     LINKS_YML_FILE_LOCAL)
        # Fill in the database with data on the AWS services
        create_database(db_session, all_aws_services, overrides_file)
        print("Created tables for all services!")

    # Query the database for all the services that are now in the database.
    all_aws_service_prefixes = get_all_service_prefixes(db_session)
    total_count_of_services = str(len(all_aws_service_prefixes))
    print("Initialization complete!")
    print(f"Total AWS services in the IAM database: {total_count_of_services}")
    logger.debug("\nService prefixes:")
    logger.debug(", ".join(all_aws_service_prefixes))
コード例 #6
0
def action_table(name, service, access_level, condition, wildcard_only):
    """Query the Action Table from the Policy Sentry database"""
    db_session = connect_db(DATABASE_FILE_PATH)
    # Actions on all services
    if service == "all":
        all_services = get_all_service_prefixes(db_session)
        if access_level:
            level = transform_access_level_text(access_level)
            print(f"{access_level} actions across ALL services:\n")
            results = []
            for serv in all_services:
                output = get_actions_with_access_level(db_session, serv, level)
                results.extend(output)
            for result in results:
                print(result)
        # Get a list of all services in the database
        else:
            print("All services in the database:\n")
            for item in all_services:
                print(item)
    elif name is None and access_level:
        print(
            f"All IAM actions under the {service} service that have the access level {access_level}:"
        )
        level = transform_access_level_text(access_level)
        output = get_actions_with_access_level(db_session, service, level)
        print(json.dumps(output, indent=4))
    # Get a list of all IAM actions under the service that support the
    # specified condition key.
    elif condition:
        print(
            f"IAM actions under {service} service that support the {condition} condition only:"
        )
        output = get_actions_matching_condition_key(db_session, service,
                                                    condition)
        print(json.dumps(output, indent=4))
    # Get a list of IAM Actions under the service that only support resources = "*"
    # (i.e., you cannot restrict it according to ARN)
    elif wildcard_only:
        print(
            f"IAM actions under {service} service that support wildcard resource values only:"
        )
        output = get_actions_that_support_wildcard_arns_only(
            db_session, service)
        print(json.dumps(output, indent=4))
    elif name and access_level is None:
        output = get_action_data(db_session, service, name)
        print(json.dumps(output, indent=4))
    else:
        print(f"All IAM actions available to {service}:")
        # Get a list of all IAM Actions available to the service
        action_list = get_actions_for_service(db_session, service)
        print(f"ALL {service} actions:")
        for item in action_list:
            print(item)
コード例 #7
0
def initialize(access_level_overrides_file, fetch, build):
    """
    Initialize the local data file to store AWS IAM information, which can be used to generate IAM policies, and for
    querying the database.
    """

    if not access_level_overrides_file:
        overrides_file = LOCAL_ACCESS_OVERRIDES_FILE
    else:
        overrides_file = access_level_overrides_file
    # Create the config directory
    database_path = create_policy_sentry_config_directory()

    # Copy over the html docs, which will be used to build the database
    create_html_docs_directory()

    # Create overrides file, which allows us to override the Access Levels
    # provided by AWS documentation
    file_list = [
        f for f in os.listdir(BUNDLED_DATA_DIRECTORY)
        if os.path.isfile(os.path.join(BUNDLED_DATA_DIRECTORY, f))
    ]

    for file in file_list:
        if file.endswith(".yml"):
            shutil.copy(os.path.join(BUNDLED_DATA_DIRECTORY, file),
                        CONFIG_DIRECTORY)
            logger.debug("copying overrides file %s to %s", file,
                         CONFIG_DIRECTORY)
    print("Database will be stored here: " + database_path)

    if not build and not fetch:
        # copy from the bundled database location to the destination path
        shutil.copy(BUNDLED_DATASTORE_FILE_PATH, database_path)

    # --fetch: wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
    # if --build and --fetch are both supplied, just do --fetch
    if fetch:
        # `wget` the html docs to the local directory
        update_html_docs_directory(LOCAL_HTML_DIRECTORY_PATH)
        create_database(CONFIG_DIRECTORY, overrides_file)

    # initialize --build
    if build or access_level_overrides_file or fetch:
        create_database(CONFIG_DIRECTORY, overrides_file)
        print("Created the database!")

    # Query the database for all the services that are now in the database.
    all_aws_service_prefixes = get_all_service_prefixes()
    total_count_of_services = str(len(all_aws_service_prefixes))
    print("Initialization complete!")
    print(f"Total AWS services in the IAM database: {total_count_of_services}")
    logger.debug("\nService prefixes:")
    logger.debug(", ".join(all_aws_service_prefixes))
コード例 #8
0
def initialize(access_level_overrides_file, fetch):
    """
    Create a local database to store AWS IAM information, which can be used to generate IAM policies and analyze them
    for least privilege.
    """

    # Create the config directory
    database_path = create_policy_sentry_config_directory()

    # Copy over the html docs, which will be used to build the database
    create_html_docs_directory()

    # Create the directory to download IAM policies to
    create_policy_analysis_directory()

    # Create audit directory to host list of permissions for analyze_iam_policy
    create_audit_directory()

    # Create overrides file, which allows us to override the Access Levels
    # provided by AWS documentation
    create_default_overrides_file()

    # Create the default reporting configuration file. This is used by
    # analyze_iam_policy
    create_default_report_config_file()

    # If the user specifies fetch, wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
    if fetch:
        # `wget` the html docs to the local directory
        update_html_docs_directory(HTML_DIRECTORY_PATH)
        # Update the links.yml file
        prefix_list = create_service_links_mapping_file(
            HTML_DIRECTORY_PATH, LINKS_YML_FILE_LOCAL)
        print(f"Services: {prefix_list}")

    # Connect to the database at that path with SQLAlchemy
    db_session = connect_db(database_path, initialization=True)

    # Use the list of services that were listed in the links.yml file
    all_aws_services = get_list_of_service_prefixes_from_links_file(
        LINKS_YML_FILE_LOCAL)
    print(f"Services to build for: ${LINKS_YML_FILE_LOCAL}")

    # Fill in the database with data on the AWS services
    create_database(db_session, all_aws_services, access_level_overrides_file)
    print("Created tables for all services!")

    # Query the database for all the services that are now in the database.
    all_aws_service_prefixes = get_all_service_prefixes(db_session)
    total_count_of_services = str(len(all_aws_service_prefixes))
    print(
        f"{total_count_of_services} AWS services in the database. \nServices: {all_aws_service_prefixes}"
    )
コード例 #9
0
 def service_wildcard(self):
     """Determine if the policy gives access to all actions within a service - simple grepping"""
     services = []
     for statement in self.statements:
         logger.debug("Evaluating statement: %s", statement.json)
         if statement.effect == "Allow":
             if isinstance(statement.actions, list):
                 for action in statement.actions:
                     # If the action is a straight up *
                     if action == "*":
                         logger.debug(
                             "All actions are allowed by this policy")
                         services.extend(get_all_service_prefixes())
                     # Otherwise, it will take the format of service:*
                     else:
                         service, this_action = action.split(":")
                         # service:*
                         if this_action == "*":
                             services.append(service)
             elif isinstance(statement.actions, str):
                 # If the action is a straight up *
                 if statement.actions == "*":
                     logger.debug("All actions are allowed by this policy")
                     services.append(get_all_service_prefixes())
                 else:
                     service, this_action = statement.actions.split(":")
                     # service:*
                     if this_action == "*":
                         services.append(service)
     if services:
         # Remove duplicates and sort
         services = list(dict.fromkeys(services))
         these_services = services.copy()
         these_services.sort()
         return these_services
     else:
         return []
コード例 #10
0
"""
Methods that execute specific queries against the database for the ACTIONS table.
This supports the Policy Sentry query functionality
"""
import logging
import functools
from policy_sentry.shared.iam_data import iam_definition, get_service_prefix_data
from policy_sentry.querying.all import get_all_service_prefixes
from policy_sentry.querying.arns import get_matching_raw_arns, get_resource_type_name_with_raw_arn
from policy_sentry.util.arns import get_service_from_arn

all_service_prefixes = get_all_service_prefixes()
logger = logging.getLogger(__name__)


@functools.lru_cache(maxsize=1024)
def get_actions_for_service(service_prefix):
    """
    Get a list of available actions per AWS service

    Arguments:
        service_prefix: List: An AWS service prefix, like `s3` or `kms`
    Returns:
        List: A list of actions
    """
    service_prefix_data = get_service_prefix_data(service_prefix)
    results = []
    if isinstance(service_prefix_data, dict):
        for item in service_prefix_data["privileges"]:
            results.append(f"{service_prefix}:{item}")
    return results
コード例 #11
0
def query_action_table(name,
                       service,
                       access_level,
                       condition,
                       resource_type,
                       fmt="json"):
    """Query the Action Table from the Policy Sentry database.
    Use this one when leveraging Policy Sentry as a library."""
    if os.path.exists(LOCAL_DATASTORE_FILE_PATH):
        logger.info(
            f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/"
        )
    else:
        # Otherwise, leverage the datastore inside the python package
        logger.debug("Leveraging the bundled IAM Definition.")
    # Actions on all services
    if service == "all":
        all_services = get_all_service_prefixes()
        if access_level:
            level = transform_access_level_text(access_level)
            print(f"{access_level} actions across ALL services:\n")
            output = []
            for serv in all_services:
                result = get_actions_with_access_level(serv, level)
                output.extend(result)
            print(yaml.dump(output)) if fmt == "yaml" else [
                print(result) for result in output
            ]
        # Get a list of all services in the database
        else:
            print("All services in the database:\n")
            output = all_services
            print(yaml.dump(output)) if fmt == "yaml" else [
                print(item) for item in output
            ]
    elif name is None and access_level and not resource_type:
        print(
            f"All IAM actions under the {service} service that have the access level {access_level}:"
        )
        level = transform_access_level_text(access_level)
        output = get_actions_with_access_level(service, level)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    elif name is None and access_level and resource_type:
        print(
            f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:"
        )
        access_level = transform_access_level_text(access_level)
        output = get_actions_with_arn_type_and_access_level(
            service, resource_type, access_level)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    # Get a list of all IAM actions under the service that support the specified condition key.
    elif condition:
        print(
            f"IAM actions under {service} service that support the {condition} condition only:"
        )
        output = get_actions_matching_condition_key(service, condition)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    # Get a list of IAM Actions under the service that only support resources = "*"
    # (i.e., you cannot restrict it according to ARN)
    elif resource_type:
        print(
            f"IAM actions under {service} service that have the resource type {resource_type}:"
        )
        output = get_actions_matching_arn_type(service, resource_type)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    elif name and access_level is None:
        output = get_action_data(service, name)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    else:
        # Get a list of all IAM Actions available to the service
        output = get_actions_for_service(service)
        print(f"ALL {service} actions:")
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(item) for item in output
        ]
    return output
コード例 #12
0
ファイル: hipaa.py プロジェクト: syllogy/aws-allowlister
import os
import requests
from bs4 import BeautifulSoup
from policy_sentry.querying.all import get_all_service_prefixes
from aws_allowlister.database.raw_scraping_data import RawScrapingData
from aws_allowlister.scrapers.aws_docs import get_aws_html
from aws_allowlister.shared.utils import clean_service_name
from sqlalchemy.orm.session import Session

ALL_SERVICE_PREFIXES = get_all_service_prefixes()


def scrape_hipaa_table(db_session: Session,
                       link: str,
                       destination_folder: str,
                       file_name: str,
                       download: bool = True):
    html_file_path = os.path.join(destination_folder, file_name)
    if os.path.exists(html_file_path):
        os.remove(html_file_path)

    if download:
        if os.path.exists(html_file_path):
            os.remove(html_file_path)
        get_aws_html(link, html_file_path)

    raw_scraping_data = RawScrapingData()

    # These show up as list items but are not relevant at all
    false_positives = [
        "AWS Cloud Security",
コード例 #13
0
ファイル: generate.py プロジェクト: ekmixon/aws-allowlister
def generate(all_standards, soc, pci, hipaa, iso, fedramp_high,
             fedramp_moderate, dodccsrg_il2_ew, dodccsrg_il2_gc,
             dodccsrg_il4_gc, dodccsrg_il5_gc, hitrust_csf, irap, include,
             include_file, exclude, exclude_file, table, json_list,
             excluded_table, excluded_json_list, quiet):
    standards = []
    if quiet:
        log_level = getattr(logging, "WARNING")
        set_stream_logger(level=log_level)
    else:
        log_level = getattr(logging, "INFO")
        set_stream_logger(level=log_level)

    # If include-file argument is supplied, then read the file and use it as the include args.
    if include_file:
        include = utils.read_yaml_file(include_file)
        validate_services_from_file(services=include)
    # Same thing with exclude-file argument
    if exclude_file:
        exclude = utils.read_yaml_file(exclude_file)
        validate_services_from_file(services=exclude)

    # Compile list of standards
    if soc:
        standards.append("SOC")
    if pci:
        standards.append("PCI")
    if hipaa:
        standards.append("HIPAA")
    if iso:
        standards.append("ISO")
    if fedramp_high:
        standards.append("FedRAMP_High")
    if fedramp_moderate:
        standards.append("FedRAMP_Moderate")
    if dodccsrg_il2_ew:
        standards.append("DoDCCSRG_IL2_EW")
    if dodccsrg_il2_gc:
        standards.append("DoDCCSRG_IL2_GC")
    if dodccsrg_il4_gc:
        standards.append("DoDCCSRG_IL4_GC")
    if dodccsrg_il5_gc:
        standards.append("DoDCCSRG_IL5_GC")
    if hitrust_csf:
        standards.append("HITRUST")
    if irap:
        standards.append("IRAP")
    if (all_standards and not soc and not pci and not hipaa and not iso
            and not fedramp_high and not fedramp_moderate
            and not dodccsrg_il2_ew and not dodccsrg_il2_gc
            and not dodccsrg_il4_gc and not dodccsrg_il5_gc and not hitrust_csf
            and not irap):
        standards = [
            "SOC", "PCI", "HIPAA", "ISO", "FedRAMP_High", "FedRAMP_Moderate"
        ]
        logger.info(
            f"--all was selected. The policy will include the default standard(s): {str(', '.join(standards))}"
        )
    if (not all_standards and not soc and not pci and not hipaa and not iso
            and not fedramp_high and not fedramp_moderate
            and not dodccsrg_il2_ew and not dodccsrg_il2_gc
            and not dodccsrg_il4_gc and not dodccsrg_il5_gc and not hitrust_csf
            and not irap):
        standards = [
            "SOC", "PCI", "HIPAA", "ISO", "FedRAMP_High", "FedRAMP_Moderate"
        ]
        logger.info(
            f"--all was selected. The policy will include the default standard(s): {str(', '.join(standards))}"
        )
    logger.info(f"Note: to silence these logs, supply the argument '--quiet'")
    logger.info(f"Policies for standard(s): {str(', '.join(standards))}")

    # If --table is provided, print as Markdown table. Otherwise, print the JSON policy
    if table:
        services = generate_allowlist_service_prefixes(standards, include,
                                                       exclude)
        services_tabulated = []
        headers = ["Service Prefix", "Service Name"]
        # services_tabulated.append(headers)
        for service_prefix in services:
            service_name = utils.get_service_name_matching_iam_service_prefix(
                service_prefix)
            try:
                service_authorization_url = get_service_authorization_url(
                    service_prefix)
            except AttributeError as error:
                logger.info(error)
                service_authorization_url = ""
            service_name_text = f"[{service_name}]({service_authorization_url})"
            # services_tabulated.append([service_prefix, service_name])
            services_tabulated.append([service_prefix, service_name_text])
        print(tabulate(services_tabulated, headers=headers, tablefmt="github"))
    elif json_list:
        services_json = {}
        services = generate_allowlist_service_prefixes(standards, include,
                                                       exclude)
        for service_prefix in services:
            service_name = utils.get_service_name_matching_iam_service_prefix(
                service_prefix)
            try:
                service_authorization_url = get_service_authorization_url(
                    service_prefix)
            except AttributeError as error:
                logger.info(error)
                service_authorization_url = ""
            services_json.update({
                service_prefix: {
                    'service_name': service_name,
                    'service_authorization_url': service_authorization_url
                }
            })
        print(json.dumps(services_json, indent=2))
    elif excluded_table:
        # Get the list of allowlist prefixes
        allowed_services = generate_allowlist_service_prefixes(
            standards, include, exclude)
        # Get the list of all service prefixes, not just the allowlist ones
        all_services = get_all_service_prefixes()
        # Create a list of services that don't exist in allowed_services
        excluded_services = []
        for service_prefix in all_services:
            if service_prefix not in allowed_services:
                excluded_services.append(service_prefix)
        excluded_services.sort()
        # Create the table
        services_tabulated = []
        headers = ["Service Prefix", "Service Name"]
        for service_prefix in excluded_services:
            service_name = utils.get_service_name_matching_iam_service_prefix(
                service_prefix)
            service_authorization_url = get_service_authorization_url(
                service_prefix)
            service_name_text = f"[{service_name}]({service_authorization_url})"
            # services_tabulated.append([service_prefix, service_name])
            services_tabulated.append([service_prefix, service_name_text])
        print(tabulate(services_tabulated, headers=headers, tablefmt="github"))
    elif excluded_json_list:
        services_json = {}
        allowed_services = generate_allowlist_service_prefixes(
            standards, include, exclude)
        all_services = get_all_service_prefixes()

        excluded_services = []
        for service_prefix in all_services:
            if service_prefix not in allowed_services:
                excluded_services.append(service_prefix)
        excluded_services.sort()

        for service_prefix in excluded_services:
            service_name = utils.get_service_name_matching_iam_service_prefix(
                service_prefix)
            try:
                service_authorization_url = get_service_authorization_url(
                    service_prefix)
            except AttributeError as error:
                logger.info(error)
                service_authorization_url = ""
            services_json.update({
                service_prefix: {
                    'service_name': service_name,
                    'service_authorization_url': service_authorization_url
                }
            })
        print(json.dumps(services_json, indent=2))
    else:
        results = generate_allowlist_scp(standards, include, exclude)

        minified_results = f"""{{
    "Version": "2012-10-17",
        "Statement": {{
            "Sid": "AllowList",
            "Effect": "Deny",
            "Resource": "*",
            "NotAction": {json.dumps(results.get('Statement').get('NotAction'))}
        }}
}}"""
        print(minified_results)
コード例 #14
0
ファイル: test_all.py プロジェクト: purplefi-sh/policy_sentry
 def test_get_all_service_prefixes(self):
     result = get_all_service_prefixes()
     self.assertGreater(len(result), 212)
コード例 #15
0
def query_action_table(name,
                       service,
                       access_level,
                       condition,
                       wildcard_only,
                       fmt="json"):
    """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library."""
    # Actions on all services
    if service == "all":
        all_services = get_all_service_prefixes()
        if access_level:
            level = transform_access_level_text(access_level)
            print(f"{access_level} actions across ALL services:\n")
            output = []
            for serv in all_services:
                result = get_actions_with_access_level(serv, level)
                output.extend(result)
            print(yaml.dump(output)) if fmt == "yaml" else [
                print(result) for result in output
            ]
        # Get a list of all services in the database
        else:
            print("All services in the database:\n")
            output = all_services
            print(yaml.dump(output)) if fmt == "yaml" else [
                print(item) for item in output
            ]
    elif name is None and access_level and not wildcard_only:
        print(
            f"All IAM actions under the {service} service that have the access level {access_level}:"
        )
        level = transform_access_level_text(access_level)
        output = get_actions_with_access_level(service, level)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    elif name is None and access_level and wildcard_only:
        print(
            f"{service} {access_level.upper()} actions that must use wildcards in the resources block:"
        )
        access_level = transform_access_level_text(access_level)
        output = get_actions_at_access_level_that_support_wildcard_arns_only(
            service, access_level)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    # Get a list of all IAM actions under the service that support the specified condition key.
    elif condition:
        print(
            f"IAM actions under {service} service that support the {condition} condition only:"
        )
        output = get_actions_matching_condition_key(service, condition)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    # Get a list of IAM Actions under the service that only support resources = "*"
    # (i.e., you cannot restrict it according to ARN)
    elif wildcard_only:
        print(
            f"IAM actions under {service} service that support wildcard resource values only:"
        )
        output = get_actions_that_support_wildcard_arns_only(service)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    elif name and access_level is None:
        output = get_action_data(service, name)
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(json.dumps(output, indent=4))
        ]
    else:
        # Get a list of all IAM Actions available to the service
        output = get_actions_for_service(service)
        print(f"ALL {service} actions:")
        print(yaml.dump(output)) if fmt == "yaml" else [
            print(item) for item in output
        ]
    return output
コード例 #16
0
#!/usr/bin/env python
from policy_sentry.shared.database import connect_db
from policy_sentry.querying.all import get_all_service_prefixes

if __name__ == '__main__':
    db_session = connect_db('bundled')
    all_service_prefixes = get_all_service_prefixes(db_session)
    print(all_service_prefixes)
"""
Output:

A list of every service prefix (like 'kms' or 's3') available in the IAM database.
Note that this will not include services that do not support any ARN types, like AWS IQ.
"""