def test_analyze_policies(self): data = { "settings": { "principal_service": ["ec2", "ec2", "lambda"], "policies": ["default_role_policy"], "additional_policies": [{ "action": "s3:GetObject", "resource": "arn:aws:s3:::mybucketname" }], } } role = Role(data) actual = [] for analyzed_policy in role.analyze_policies(): for finding in analyzed_policy.findings: actual.append(str(finding)) expected = [ "RESOURCE_MISMATCH" " - [{'action': 's3:GetObject', 'required_format': 'arn:*:s3:::*/*'}]" " - {'actions': ['s3:GetObject'], 'filepath': None}" ] self.assertEqual(actual, expected)
def test_valid_managed_policy(self): data = { "settings": { "managed_policy_arns": ["AmazonEKSWorkerNodePolicy"] } } role = Role(data) actual = role.analyze_policies() expected = [] self.assertEqual(actual, expected)
def test_invalid_managed_policy(self): data = {"settings": {"managed_policy_arns": ["AdministratorAccess"]}} role = Role(data) actual = [str(finding) for finding in role.analyze_policies()] expected = [ "DENIED_POLICIES" " - Managed policies are not approved for use" " - {'managed_policy_arns': ['AdministratorAccess']}" ] self.assertEqual(actual, expected)
def lambda_handler(event, context=None): LOGGER.debug(f"event: {event}") if not event: LOGGER.error("No event found in request") return {"result": "UNSUPPORTED"} role_type = event.get("type") if role_type != "iam": return {"result": "UNSUPPORTED"} stack_name = event.get("stack_name") account_id = event.get("account_id") region = event.get("region") roles = validate_yaml(event.get("roles")) if not roles: return {"result": "NON_COMPLIANT"} all_findings = [] for role_dict in roles: role = Role(role_dict, region, account_id) analyzed_polices = role.analyze_policies() role_findings = [] for analyzed_policy in analyzed_polices: role_findings.extend(analyzed_policy.findings) if not role_findings: findings = simulate_policies(account_id, analyzed_polices) role_findings.extend(findings) all_findings.extend(role_findings) if all_findings: for finding in all_findings: LOGGER.error(str(finding)) return {"result": "NON_COMPLIANT"} output = { "result": "COMPLIANT", "roles": roles, "account_id": account_id, "region": region, "stack_name": stack_name, } return output