def get_action_access_level_overrides_from_yml(service, access_level_overrides_file_path=None): """ Read the YML overrides file, which is formatted like: ['ec2']['permissions-management'][action_name]. Since the AWS Documentation is sometimes outdated, we can use this YML file to override whatever they provide in their documentation. """ if not access_level_overrides_file_path: access_level_overrides_file_path = os.path.abspath(os.path.dirname(__file__)) + '/data/access-level-overrides.yml' cfg = read_yaml_file(access_level_overrides_file_path) if service in cfg: return cfg[service] else: return False
def write_policy(input_file, crud, minimize): """ Write a least-privilege IAM Policy by supplying either a list of actions or access levels specific to resource ARNs! """ # TODO: JSON Validation function db_session = connect_db(DATABASE_FILE_PATH) cfg = read_yaml_file(input_file) # User supplies file containing resource-specific access levels if crud: policy = write_policy_with_access_levels(cfg, db_session, minimize) # User supplies file containing a list of IAM actions else: policy = write_policy_with_actions(cfg, db_session, minimize) print(json.dumps(policy, indent=4)) return policy
def write_policy(input_file, crud, minimize): """ Write a least-privilege IAM Policy by supplying either a list of actions or access levels specific to resource ARNs! """ # TODO: JSON Validation function home = str(Path.home()) config_directory = '/.policy_sentry/' database_file_name = 'aws.sqlite3' database_path = home + config_directory + database_file_name db_session = connect_db(database_path) cfg = read_yaml_file(input_file) # User supplies file containing resource-specific access levels if crud: policy = write_policy_with_access_levels(cfg, db_session, minimize) # User supplies file containing a list of IAM actions else: policy = write_policy_with_actions(cfg, db_session, minimize) print(json.dumps(policy, indent=4)) return policy
def write_policy_dir(input_dir, output_dir, crud, minimize): """ write_policy, but this time with an input directory of YML/YAML files, and an output directory for all the JSON files """ home = str(Path.home()) config_directory = '/.policy_sentry/' database_file_name = 'aws.sqlite3' database_path = home + config_directory + database_file_name db_session = connect_db(database_path) input_dir = os.path.abspath(input_dir) output_dir = os.path.abspath(output_dir) if not crud: print( "Warning: If you are using ARNs from Terraform to generate your policies, " "try using the CRUD functionality instead of the default actions-based policy writing functionality." ) if not minimize: print( "Warning: --minimize option is not set. If the policy is too large, " "it can hit the AWS IAM Policy character limit. " "We'll execute as-is, but try using `--minimize 0` functionality " "for production to optimize policy size.\n") # Construct the path # Get the list of files # Write a list of the names if not check_valid_file_path(input_dir): print("Input directory is invalid") sys.exit() if not check_valid_file_path(output_dir): print("Output directory is invalid") sys.exit() input_files = glob.glob(str(input_dir + '/*.yml'), recursive=False) if not input_files: print( "Directory is empty or does not have files with *.yml extension. " "Please check the folder contents and/or extension spelling.") print("Writing the policy JSON files from " + input_dir + " to " + output_dir + "...\n") for yaml_file in input_files: # Get the name of the file, and strip the extension. This is what the policy name will be base_name = os.path.basename(yaml_file) base_name_no_extension = os.path.splitext( os.path.basename(yaml_file))[0] cfg = read_yaml_file(yaml_file) # User supplies file containing resource-specific access levels if crud: policy = write_policy_with_access_levels(cfg, db_session, minimize) # User supplies file containing a list of IAM actions else: policy = write_policy_with_actions(cfg, db_session, minimize) print("Writing policy for " + base_name + '\n') target_file = str(output_dir + '/' + base_name_no_extension + '.json') if os.path.exists(target_file): print( "Target file for " + base_name_no_extension + '.json' + " exists in the target directory. Removing it and writing a new file.\n" ) os.remove(target_file) write_json_file(target_file, policy) print("Finished")
def load_report_config_file(filename): """Read the Report config file and return the rendered dict""" report_config_file = read_yaml_file(filename) return report_config_file