def __init__(self, input):
self.arn = input
arn_match = re.search(
r"^arn:([^:]*):([^:]*):([^:]*):(|\*|[\d]{12}|cloudfront|aws):(.+)$",
input)
if arn_match:
if arn_match.group(2) == "iam" and arn_match.group(5) == "root":
self.root = True
self._from_arn(arn_match, input)
return
acct_number_match = re.search(r"^(\d{12})+$", input)
if acct_number_match:
self._from_account_number(input)
return
aws_service_match = re.search(
r"^(([^.]+)(.[^.]+)?)\.amazon(aws)?\.com$", input)
if aws_service_match:
self._from_aws_service(input, aws_service_match.group(1))
return
aws_service_match = re.search(r"^([^.]+).aws.internal$", input)
if aws_service_match:
self._from_aws_service(input, aws_service_match.group(1))
return
self.error = True
logger.warning("ARN Could not parse [{}].".format(input))
def _arn_internet_accessible(self, arn_input):
if "*" == arn_input:
return True
arn = ARN(arn_input)
if arn.error:
logger.warning("Auditor could not parse ARN {arn}.".format(arn=arn_input))
return "*" in arn_input
if arn.tech == "s3":
# S3 ARNs typically don't have account numbers.
return False
if not arn.account_number and not arn.service:
logger.warning(
"Auditor could not parse Account Number from ARN {arn}.".format(
arn=arn_input
)
)
return True
if arn.account_number == "*":
return True
return False