def _validate_type_and_size_allowed(instance_type, volume_size): """validate user is allowed to create instance with type and size""" if validate_perms.blocked( actions=["ec2:RunInstances"], resources=["arn:aws:ec2:*:*:instance/*"], context={'ec2:InstanceType': [instance_type]}): halt.err(f"Instance type {instance_type} not permitted.") if validate_perms.blocked(actions=["ec2:RunInstances"], resources=["arn:aws:ec2:*:*:volume/*"], context={'ec2:VolumeSize': [volume_size]}): halt.err(f"Volume size {volume_size}GiB is too large.")
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "iam:ListUsers", "iam:ListAccessKeys", "iam:CreateAccessKey", "iam:DeleteAccessKey" ])
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "iam:ListUsers", "iam:ListAccessKeys", "iam:DeleteAccessKey", "iam:ListGroupsForUser", "iam:RemoveUserFromGroup", "iam:ListAttachedUserPolicies", "iam:DetachUserPolicy", "iam:DeleteUser" ])
def blocked_actions(self, cmd_args): needed_actions = [ "ec2:DescribeInstances", "ec2:DescribeAddresses", "ec2:ReleaseAddress" ] if cmd_args.force is True: needed_actions.append("ec2:DisassociateAddress") return validate_perms.blocked(actions=needed_actions)
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "iam:ListUsers", "iam:ListGroups", "iam:ListGroupsForUser", "iam:RemoveUserFromGroup", "iam:AddUserToGroup" ])
def _validate_user(config_dict): """validate config's IAM user access key and minimal permissions iam:GetUser, iam:SimulatePrincipalPolicy, iam:GetAccessKeyLastUsed, and ec2:DescribeRegions permissions required for successful validation. Args: config_dict (dict): Should contain config's IAM user access key. 'access_key' (dict): IAM user's access key. Access key ID (str): Secret access key. """ consts.KEY_ID = next(iter(config_dict['access_key'])) consts.KEY_SECRET = config_dict['access_key'][consts.KEY_ID] # IAM User access key must be validated before validate_perms can be used. try: iam_user = aws.iam_client().get_user()['User'] except ClientError as e: # TODO: Use client exceptions instead once they're documented if e.response['Error']['Code'] == "InvalidClientTokenId": halt.err("Access key ID is invalid.") elif e.response['Error']['Code'] == "SignatureDoesNotMatch": halt.err("Access key ID is valid, but its secret is invalid.") elif e.response['Error']['Code'] == "AccessDenied": halt.assert_empty(["iam:GetUser"]) halt.err(str(e)) # This ARN is needed for iam:SimulatePrincipalPolicy action. consts.IAM_ARN = iam_user['Arn'] consts.IAM_NAME = iam_user['UserName'] # Validate IAM user can use iam:SimulatePrincipalPolicy action. try: validate_perms.blocked(actions=["iam:GetUser"]) except ClientError as e: if e.response['Error']['Code'] == "AccessDenied": halt.assert_empty(["iam:SimulatePrincipalPolicy"]) halt.err(str(e)) # Validate IAM user can use other basic permissions needed for the script halt.assert_empty( validate_perms.blocked( actions=["iam:GetAccessKeyLastUsed", "ec2:DescribeRegions"]))
def blocked_actions(self, cmd_args): needed_actions = [ "ec2:DescribeInstances", "ec2:DescribeAccountAttributes", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:CreateTags" ] if cmd_args.elastic_ip is True: needed_actions.extend([ "ec2:DescribeAddresses", "ec2:AllocateAddress", "ec2:AssociateAddress" ]) elif cmd_args.use_ip is not None: needed_actions.extend( ["ec2:DescribeAddresses", "ec2:AssociateAddress"]) if cmd_args.force is True: needed_actions.append("ec2:DisassociateAddress") denied_actions = validate_perms.blocked(actions=needed_actions) denied_actions.extend( validate_perms.blocked(actions=["ec2:RunInstances"], resources=["arn:aws:ec2:*:*:instance/*"], context={'ec2:InstanceType': ["t2.nano"]})) return denied_actions
def blocked_actions(cls, sub_command: str) -> List[str]: """check whether IAM user is allowed to perform actions on component Should be overridden by child classes in the following fashion: @classmethod def blocked_actions(cls, sub_command): cls.describe_actions = [] cls.upload_actions = [] cls.delete_actions = [] return super().blocked_actions(sub_command) """ needed_actions = cls.describe_actions if sub_command == "upload": needed_actions.extend(cls.upload_actions) elif sub_command == "delete": needed_actions.extend(cls.delete_actions) return validate_perms.blocked(actions=needed_actions)
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "ec2:DescribeInstances", "ec2:DescribeAddresses", "ec2:DisassociateAddress" ])
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "ec2:DescribeInstances", "ec2:DescribeAddresses", "ec2:AllocateAddress", "ec2:CreateTags" ])
def blocked_actions(self, _): return validate_perms.blocked(actions=["iam:GetAccessKeyLastUsed"])
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "iam:ListGroups", "iam:GetGroup" ])
def blocked_actions(self, _): return validate_perms.blocked(actions=[ "iam:ListGroups", "iam:CreateUser", "iam:AddUserToGroup", "iam:CreateAccessKey" ])
def blocked_actions(self, _): return validate_perms.blocked(actions=["ec2:DescribeInstances"])