def test_policy_name_finding(self):
"""output.new_findings.PolicyFinding"""
test_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
}
]
}
policy_document = PolicyDocument(test_policy)
exclusions_cfg = dict(
users=["obama"],
groups=["admin"],
roles=["MyRole"],
policies=["AWSLambdaFullAccess"]
)
exclusions = Exclusions(exclusions_cfg)
# (1) If the policy attached is excluded
policy_finding = PolicyFinding(
policy_name="AWSLambdaFullAccess",
arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess", # Obama is excluded
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions
)
result = policy_finding.is_excluded(exclusions)
expected_result = ["AWSLambdaFullAccess"]
self.assertListEqual(result, expected_result)
# (2) Non-exclusion
exclusions_cfg = dict(
users=["obama"],
groups=["admin"],
roles=["MyRole"],
policies=["someOtherName"]
)
exclusions = Exclusions(exclusions_cfg)
result = policy_finding.is_excluded(exclusions)
expected_result = False
self.assertEqual(result, expected_result)
def scan_policy_details(self,
exclusions=DEFAULT_EXCLUSIONS,
modify_only=True):
"""Scan the ManagedPolicyDetails block of the account authorization details output."""
if not isinstance(exclusions, Exclusions):
raise Exception(
"The provided exclusions is not the Exclusions object type. "
"Please use the Exclusions object.")
for policy in self.policies.policy_details:
print(f"Scanning policy: {policy.policy_name}")
actions_missing_resource_constraints = []
if exclusions.is_policy_excluded(
policy.policy_name) or exclusions.is_policy_excluded(
policy.full_policy_path):
print(f"\tExcluded policy name: {policy.policy_name}")
else:
for statement in policy.policy_document.statements:
if modify_only:
if statement.effect == "Allow":
actions_missing_resource_constraints.extend(
statement.
missing_resource_constraints_for_modify_actions(
exclusions))
else:
if statement.effect == "Allow":
actions_missing_resource_constraints.extend(
statement.missing_resource_constraints(
exclusions))
if actions_missing_resource_constraints:
actions_missing_resource_constraints = list(
dict.fromkeys(actions_missing_resource_constraints)
) # remove duplicates
actions_missing_resource_constraints.sort()
policy_finding = PolicyFinding(
policy_name=policy.policy_name,
arn=policy.arn,
actions=actions_missing_resource_constraints,
policy_document=policy.policy_document,
exclusions=exclusions,
)
self.findings.add_policy_finding(policy_finding)
def scan_policy(policy_json, policy_name, exclusions=DEFAULT_EXCLUSIONS):
"""
Scan a policy document for missing resource constraints.
:param exclusions: Exclusions object
:param policy_json: The AWS IAM policy document.
:param policy_name: The name of the IAM policy. Defaults to the filename when used from command line.
:return:
"""
actions_missing_resource_constraints = []
policy_document = PolicyDocument(policy_json)
findings = Findings(exclusions)
for statement in policy_document.statements:
logger.debug("Evaluating statement: %s", statement.json)
if statement.effect == "Allow":
actions_missing_resource_constraints.extend(
statement.missing_resource_constraints_for_modify_actions(
exclusions))
if actions_missing_resource_constraints:
these_results = list(
dict.fromkeys(
actions_missing_resource_constraints)) # remove duplicates
these_results.sort()
finding = PolicyFinding(
policy_name=policy_name,
arn=policy_name,
actions=these_results,
policy_document=policy_document,
exclusions=exclusions,
)
findings.add_policy_finding(finding)
findings.single_use = True
return finding.json
else:
return {}
def test_new_findings(self):
"""output.new_findings.Findings"""
self.maxDiff = None
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
}
policy_document = PolicyDocument(test_policy)
# (1) If the user is a member of an excluded group, return True
exclusions_cfg = dict(users=["obama"],
groups=["exclude-group"],
roles=["MyRole"],
policies=["exclude-policy"])
exclusions = Exclusions(exclusions_cfg)
attached_managed_policies = [{
"PolicyArn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess"
}]
# Let's just re-use the same policy for users groups and roles
user_finding = UserFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:user/SomeUser",
actions=["s3:GetObject"],
policy_document=policy_document,
group_membership=["admin"],
attached_managed_policies=attached_managed_policies,
exclusions=exclusions)
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/SomeGroup",
actions=["s3:GetObject"],
policy_document=policy_document,
members=["obama"],
exclusions=exclusions)
trust_policy_from_compute_service_ecs_tasks = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root",
}
}]
}
assume_role_policy_document = AssumeRolePolicyDocument(
trust_policy_from_compute_service_ecs_tasks)
role_finding = RoleFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/SomeRole",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document,
exclusions=exclusions)
policy_finding = PolicyFinding(
policy_name="AWSLambdaFullAccess",
arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess",
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions)
all_findings = Findings(exclusions)
all_findings.add_user_finding(user_finding)
result = all_findings.users[0]
expected_user_result = {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}
self.assertDictEqual(result.json, expected_user_result)
principal_policy_mapping = [
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "AWSLambdaFullAccess",
"GroupMembership": None,
},
{
"Principal": "SomeGroup",
"Type": "Group",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeRole",
"Type": "Role",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
]
all_findings.principal_policy_mapping = principal_policy_mapping
all_findings.add_group_finding(group_finding)
all_findings.add_role_finding(role_finding)
all_findings.add_policy_finding(policy_finding)
print(len(all_findings))
self.assertEqual(len(all_findings), 4)
results = all_findings.json
expected_results = [{
"AccountID": "N/A",
"ManagedBy": "AWS",
"Name": "AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess",
"Type": "Policy",
"Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeGroup",
"PolicyName": "MyPolicy",
"Type": "Group",
"Arn": "arn:aws:iam::123456789012:group/SomeGroup",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeRole",
"PolicyName": "MyPolicy",
"Type": "Role",
"Arn": "arn:aws:iam::123456789012:role/SomeRole",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root"
}
}]
},
"AssumableByComputeService": ["ecs-tasks"],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}]
# print(json.dumps(all_findings.json, indent=4))
self.assertListEqual(results, expected_results)