def test_get_actions_for_service(self): """querying.actions.get_actions_for_service""" expected_results = [ "ram:AcceptResourceShareInvitation", "ram:AssociateResourceShare", "ram:AssociateResourceSharePermission", "ram:CreateResourceShare", "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:DisassociateResourceSharePermission", "ram:EnableSharingWithAwsOrganization", "ram:GetPermission", "ram:GetResourcePolicies", "ram:GetResourceShareAssociations", "ram:GetResourceShareInvitations", "ram:GetResourceShares", "ram:ListPendingInvitationResources", "ram:ListPermissions", "ram:ListPrincipals", "ram:ListResourceSharePermissions", "ram:ListResources", "ram:RejectResourceShareInvitation", "ram:TagResource", "ram:UntagResource", "ram:UpdateResourceShare" ] results = get_actions_for_service("ram") print(json.dumps(results, indent=4)) self.maxDiff = None for expected_result in expected_results: self.assertTrue(expected_result in results)
def test_services_with_multiple_pages_elb(self): """Ensure that elb v1 and elb v2 actions are both present in the elasticloadbalancing namespace""" results = get_actions_for_service("elasticloadbalancing") actions = [ "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateAppCookieStickinessPolicy", "elasticloadbalancing:CreateLBCookieStickinessPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteLoadBalancerPolicy", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", ] for action in actions: self.assertTrue(action in results)
def test_get_actions_for_service(self): """querying.actions.get_actions_for_service""" desired_output = [ "ram:acceptresourceshareinvitation", "ram:associateresourceshare", "ram:associateresourcesharepermission", "ram:createresourceshare", "ram:deleteresourceshare", "ram:disassociateresourceshare", "ram:disassociateresourcesharepermission", "ram:enablesharingwithawsorganization", "ram:getpermission", "ram:getresourcepolicies", "ram:getresourceshareassociations", "ram:getresourceshareinvitations", "ram:getresourceshares", "ram:listpendinginvitationresources", "ram:listpermissions", "ram:listprincipals", "ram:listresourcesharepermissions", "ram:listresources", "ram:rejectresourceshareinvitation", "ram:tagresource", "ram:untagresource", "ram:updateresourceshare", ] output = get_actions_for_service(db_session, "ram") self.maxDiff = None self.assertListEqual(desired_output, output)
def test_get_actions_for_service(self): """querying.actions.get_actions_for_service""" desired_output = [ "ram:AcceptResourceShareInvitation", "ram:AssociateResourceShare", "ram:AssociateResourceSharePermission", "ram:CreateResourceShare", "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:DisassociateResourceSharePermission", "ram:EnableSharingWithAwsOrganization", "ram:GetPermission", "ram:GetResourcePolicies", "ram:GetResourceShareAssociations", "ram:GetResourceShareInvitations", "ram:GetResourceShares", "ram:ListPendingInvitationResources", "ram:ListPermissions", "ram:ListPrincipals", "ram:ListResourceSharePermissions", "ram:ListResources", "ram:RejectResourceShareInvitation", "ram:TagResource", "ram:UntagResource", "ram:UpdateResourceShare" ] output = get_actions_for_service("ram") # print(json.dumps(output, indent=4)) self.maxDiff = None self.assertListEqual(desired_output, output)
def example(): print("connected to db") actions = get_actions_for_service( 'cloud9' ) # Then you can leverage any method that requires access to the database. print(actions) actions = get_actions_with_access_level('s3', 'Permissions management') print(actions)
def test_gh_226_elasticloadbalancing_v1_and_v2(self): """Test that elasticloadbalancing combines v1 and v2""" results = get_actions_for_service("elasticloadbalancing") # print(json.dumps(results, indent=4)) lb_v1_only_action = "elasticloadbalancing:CreateTargetGroup" lb_v2_only_action = "elasticloadbalancing:SetSecurityGroups" self.assertTrue(lb_v1_only_action in results) self.assertTrue(lb_v2_only_action in results)
def test_services_with_multiple_pages_kinesis_analytics(self): """Ensure that Kinesis Analytics V1 actions are both present in the ses namespace""" # Kinesis Analytics V1 results = get_actions_for_service("kinesisanalytics") actions = [ "kinesisanalytics:GetApplicationState", # Only in v1, not v2 "kinesisanalytics:ListApplications", # In both ] for action in actions: self.assertTrue(action in results)
def action_table(name, service, access_level, condition, wildcard_only): """Query the Action Table from the Policy Sentry database""" db_session = connect_db(DATABASE_FILE_PATH) # Actions on all services if service == "all": all_services = get_all_service_prefixes(db_session) if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") results = [] for serv in all_services: output = get_actions_with_access_level(db_session, serv, level) results.extend(output) for result in results: print(result) # Get a list of all services in the database else: print("All services in the database:\n") for item in all_services: print(item) elif name is None and access_level: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(db_session, service, level) print(json.dumps(output, indent=4)) # Get a list of all IAM actions under the service that support the # specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(db_session, service, condition) print(json.dumps(output, indent=4)) # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only( db_session, service) print(json.dumps(output, indent=4)) elif name and access_level is None: output = get_action_data(db_session, service, name) print(json.dumps(output, indent=4)) else: print(f"All IAM actions available to {service}:") # Get a list of all IAM Actions available to the service action_list = get_actions_for_service(db_session, service) print(f"ALL {service} actions:") for item in action_list: print(item)
def example(): db_session = connect_db( 'bundled' ) # This is the critical line. You just need to specify `'bundled'` as the parameter. print("connected to db") actions = get_actions_for_service( db_session, 'cloud9' ) # Then you can leverage any method that requires access to the database. print(actions) actions = get_actions_with_access_level(db_session, 's3', 'Permissions management') print(actions)
def test_get_actions_for_service(self): """test_get_actions_for_service: Tests function that gets a list of actions per AWS service.""" desired_output = [ 'ram:acceptresourceshareinvitation', 'ram:associateresourceshare', 'ram:associateresourcesharepermission', 'ram:createresourceshare', 'ram:deleteresourceshare', 'ram:disassociateresourceshare', 'ram:disassociateresourcesharepermission', 'ram:enablesharingwithawsorganization', 'ram:getpermission', 'ram:getresourcepolicies', 'ram:getresourceshareassociations', 'ram:getresourceshareinvitations', 'ram:getresourceshares', 'ram:listpendinginvitationresources', 'ram:listpermissions', 'ram:listprincipals', 'ram:listresourcesharepermissions', 'ram:listresources', 'ram:rejectresourceshareinvitation', 'ram:tagresource', 'ram:untagresource', 'ram:updateresourceshare' ] output = get_actions_for_service(db_session, "ram") self.maxDiff = None self.assertListEqual(desired_output, output)
def test_services_with_multiple_pages_lex(self): """Ensure that lex v1 and lex v2 actions are both present in the lex namespace""" # Lex V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html self.assertTrue("lex:DeleteUtterances" in self.all_actions) # Lex V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html self.assertTrue("lex:ListBotLocales" in self.all_actions) results = get_actions_for_service("lex") actions = [ "lex:CreateIntentVersion", "lex:CreateSlotTypeVersion", "lex:DeleteBotChannelAssociation", "lex:DeleteIntentVersion", "lex:DeleteSlotTypeVersion", "lex:GetBot", "lex:GetBotAlias", "lex:GetBotAliases", "lex:GetBotChannelAssociation", "lex:GetBotChannelAssociations", "lex:GetBotVersions", "lex:GetBots", "lex:GetBuiltinIntent", "lex:GetBuiltinIntents", "lex:GetBuiltinSlotTypes", "lex:GetExport", "lex:GetImport", "lex:GetIntent", "lex:GetIntentVersions", "lex:GetIntents", "lex:GetMigration", "lex:GetMigrations", "lex:GetSlotType", "lex:GetSlotTypeVersions", "lex:GetSlotTypes", "lex:GetUtterancesView", "lex:PostContent", "lex:PostText", "lex:PutBot", "lex:PutBotAlias", "lex:PutIntent", "lex:PutSlotType", "lex:StartMigration", ] for action in actions: self.assertTrue(action in results)
def query_action_table(name, service, access_level, condition, wildcard_only, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not wildcard_only: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and wildcard_only: print( f"{service} {access_level.upper()} actions that must use wildcards in the resources block:" ) access_level = transform_access_level_text(access_level) output = get_actions_at_access_level_that_support_wildcard_arns_only( service, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif wildcard_only: print( f"IAM actions under {service} service that support wildcard resource values only:" ) output = get_actions_that_support_wildcard_arns_only(service) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
#!/usr/bin/env python from policy_sentry.shared.database import connect_db from policy_sentry.querying.actions import get_actions_for_service import json if __name__ == '__main__': db_session = connect_db('bundled') output = get_actions_for_service(db_session, 'cloud9') print(json.dumps(output, indent=4)) """ Output: [ 'ram:acceptresourceshareinvitation', 'ram:associateresourceshare', 'ram:createresourceshare', 'ram:deleteresourceshare', 'ram:disassociateresourceshare', 'ram:enablesharingwithawsorganization', 'ram:rejectresourceshareinvitation', 'ram:updateresourceshare' ] """
def test_services_with_multiple_pages_ses(self): """Ensure that ses v1 and ses v2 actions are both present in the ses namespace""" # SES V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html self.assertTrue("ses:PutIdentityPolicy" in self.all_actions) # SES V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html self.assertTrue("ses:ListImportJobs" in self.all_actions) results = get_actions_for_service("ses") actions = [ "ses:CloneReceiptRuleSet", "ses:CreateConfigurationSetTrackingOptions", "ses:CreateReceiptFilter", "ses:CreateReceiptRule", "ses:CreateReceiptRuleSet", "ses:CreateTemplate", "ses:DeleteConfigurationSetTrackingOptions", "ses:DeleteIdentity", "ses:DeleteIdentityPolicy", "ses:DeleteReceiptFilter", "ses:DeleteReceiptRule", "ses:DeleteReceiptRuleSet", "ses:DeleteTemplate", "ses:DeleteVerifiedEmailAddress", "ses:DescribeActiveReceiptRuleSet", "ses:DescribeConfigurationSet", "ses:DescribeReceiptRule", "ses:DescribeReceiptRuleSet", "ses:GetAccountSendingEnabled", "ses:GetIdentityDkimAttributes", "ses:GetIdentityMailFromDomainAttributes", "ses:GetIdentityNotificationAttributes", "ses:GetIdentityPolicies", "ses:GetIdentityVerificationAttributes", "ses:GetSendQuota", "ses:GetSendStatistics", "ses:GetTemplate", "ses:ListIdentities", "ses:ListIdentityPolicies", "ses:ListReceiptFilters", "ses:ListReceiptRuleSets", "ses:ListTemplates", "ses:ListVerifiedEmailAddresses", "ses:PutIdentityPolicy", "ses:ReorderReceiptRuleSet", "ses:SendBounce", "ses:SendBulkTemplatedEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SetActiveReceiptRuleSet", "ses:SetIdentityDkimEnabled", "ses:SetIdentityFeedbackForwardingEnabled", "ses:SetIdentityHeadersInNotificationsEnabled", "ses:SetIdentityMailFromDomain", "ses:SetIdentityNotificationTopic", "ses:SetReceiptRulePosition", "ses:TestRenderTemplate", "ses:UpdateAccountSendingEnabled", "ses:UpdateConfigurationSetReputationMetricsEnabled", "ses:UpdateConfigurationSetSendingEnabled", "ses:UpdateConfigurationSetTrackingOptions", "ses:UpdateReceiptRule", "ses:UpdateTemplate", "ses:VerifyDomainDkim", "ses:VerifyDomainIdentity", "ses:VerifyEmailAddress", "ses:VerifyEmailIdentity", ] for action in actions: self.assertTrue(action in results)
#!/usr/bin/env python from policy_sentry.querying.actions import get_actions_for_service import json if __name__ == '__main__': output = get_actions_for_service('cloud9') print(json.dumps(output, indent=4)) """ Output: [ 'ram:acceptresourceshareinvitation', 'ram:associateresourceshare', 'ram:createresourceshare', 'ram:deleteresourceshare', 'ram:disassociateresourceshare', 'ram:enablesharingwithawsorganization', 'ram:rejectresourceshareinvitation', 'ram:updateresourceshare' ] """
def test_services_with_multiple_pages_aws_marketplace(self): """Ensure that aws-marketplace actions from all the different aws-marketplace SAR pages are present in the IAM definition.""" # Overlap: AWS Marketplace, Marketplace Catalog, and AWS Marketplace Entitlement service, AWS Marketplace Image Building Service, AWS Marketplace Metering Service, AWS Marketplace Private Marketplace, and AWS Marketplace Procurement Systems # AWS Marketplace: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html self.assertTrue("aws-marketplace:AcceptAgreementApprovalRequest" in self.all_actions) # AWS Marketplace Catalog: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecatalog.html self.assertTrue("aws-marketplace:CancelChangeSet" in self.all_actions) # AWS Marketplace Entitlement Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceentitlementservice.html self.assertTrue("aws-marketplace:GetEntitlements" in self.all_actions) # AWS Marketplace Image Building Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceimagebuildingservice.html self.assertTrue("aws-marketplace:DescribeBuilds" in self.all_actions) # AWS Marketplace Metering Service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemeteringservice.html self.assertTrue("aws-marketplace:BatchMeterUsage" in self.all_actions) # AWS Marketplace Private Marketplace: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceprivatemarketplace.html self.assertTrue( "aws-marketplace:AssociateProductsWithPrivateMarketplace" in self.all_actions) # AWS Marketplace Procurement Systems: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplaceprocurementsystemsintegration.html self.assertTrue( "aws-marketplace:DescribeProcurementSystemConfiguration" in self.all_actions) results = get_actions_for_service("aws-marketplace") actions = [ "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:BatchMeterUsage", "aws-marketplace:CancelAgreementRequest", "aws-marketplace:CancelChangeSet", "aws-marketplace:CompleteTask", "aws-marketplace:DescribeAgreement", "aws-marketplace:DescribeBuilds", "aws-marketplace:DescribeChangeSet", "aws-marketplace:DescribeEntity", "aws-marketplace:DescribeProcurementSystemConfiguration", "aws-marketplace:DescribeTask", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:GetAgreementRequest", "aws-marketplace:GetAgreementTerms", "aws-marketplace:GetEntitlements", "aws-marketplace:ListAgreementApprovalRequests", "aws-marketplace:ListAgreementRequests", "aws-marketplace:ListBuilds", "aws-marketplace:ListChangeSets", "aws-marketplace:ListEntities", "aws-marketplace:ListTasks", "aws-marketplace:MeterUsage", "aws-marketplace:PutProcurementSystemConfiguration", "aws-marketplace:RegisterUsage", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:ResolveCustomer", "aws-marketplace:SearchAgreements", "aws-marketplace:StartBuild", "aws-marketplace:StartChangeSet", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:UpdateAgreementApprovalRequest", "aws-marketplace:UpdateTask", "aws-marketplace:ViewSubscriptions", ] for action in actions: self.assertTrue(action in results)
def test_other_iam_data_fixes_in_GH_393(self): """Other missing actions from GH #393""" # Cassandra: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkeyspacesforapachecassandra.html results = get_actions_for_service("cassandra") self.assertTrue("cassandra:Restore" in results) # Comprehend Medical: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html results = get_actions_for_service("comprehendmedical") # print(results) actions = [ "comprehendmedical:DescribeEntitiesDetectionV2Job", "comprehendmedical:DescribeICD10CMInferenceJob", "comprehendmedical:DescribePHIDetectionJob", "comprehendmedical:DescribeRxNormInferenceJob", # "comprehendmedical:DescribeSNOMEDCTInferenceJob", # Not in SAR "comprehendmedical:DetectEntitiesV2", "comprehendmedical:InferICD10CM", "comprehendmedical:InferRxNorm", # "comprehendmedical:InferSNOMEDCT", # Not in SAR "comprehendmedical:ListEntitiesDetectionV2Jobs", "comprehendmedical:ListICD10CMInferenceJobs", "comprehendmedical:ListPHIDetectionJobs", "comprehendmedical:ListRxNormInferenceJobs", # "comprehendmedical:ListSNOMEDCTInferenceJobs", # Not in SAR "comprehendmedical:StartEntitiesDetectionV2Job", "comprehendmedical:StartICD10CMInferenceJob", "comprehendmedical:StartPHIDetectionJob", "comprehendmedical:StartRxNormInferenceJob", "comprehendmedical:StopEntitiesDetectionV2Job", "comprehendmedical:StopICD10CMInferenceJob", ] for action in actions: # if action not in results: # print(action) self.assertTrue(action in results) # Compute Optimizer results = get_actions_for_service("compute-optimizer") actions = [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:ExportEBSVolumeRecommendations", "compute-optimizer:ExportLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences", ] for action in actions: self.assertTrue(action in results) # DataSync results = get_actions_for_service("datasync") actions = [ "datasync:UpdateLocationNfs", "datasync:UpdateLocationObjectStorage", "datasync:UpdateLocationSmb", "datasync:UpdateTaskExecution" ] for action in actions: self.assertTrue(action in results) # Account Management results = get_actions_for_service("account") actions = [ "account:DeleteAlternateContact", "account:GetAlternateContact", "account:PutAlternateContact", ] for action in actions: self.assertTrue(action in results) # AWS IAM Access Analyzer results = get_actions_for_service("access-analyzer") actions = [ "access-analyzer:CancelPolicyGeneration", "access-analyzer:CreateAccessPreview", "access-analyzer:GetAccessPreview", "access-analyzer:GetGeneratedPolicy", "access-analyzer:ListAccessPreviewFindings", "access-analyzer:ListAccessPreviews", "access-analyzer:ListPolicyGenerations", "access-analyzer:StartPolicyGeneration", "access-analyzer:ValidatePolicy", ] for action in actions: self.assertTrue(action in results) # Elemental Activations results = get_actions_for_service("elemental-activations") actions = [ "elemental-activations:CompleteAccountRegistration", "elemental-activations:StartAccountRegistration" ] for action in actions: self.assertTrue(action in results) # OpenSearch results = get_actions_for_service("es") actions = [ "es:DescribeDomainChangeProgress", ] for action in actions: self.assertTrue(action in results) # Location results = get_actions_for_service("geo") actions = [ "geo:CalculateRouteMatrix", ] for action in actions: self.assertTrue(action in results) # Amazon Managed Grafana results = get_actions_for_service("grafana") actions = [ "grafana:DescribeWorkspaceAuthentication", "grafana:UpdateWorkspaceAuthentication", ] for action in actions: self.assertTrue(action in results) # EC2 Image Builder results = get_actions_for_service("imagebuilder") actions = [ "imagebuilder:ImportVmImage", ] for action in actions: self.assertTrue(action in results) # Timestream results = get_actions_for_service("timestream") actions = [ "timestream:CreateScheduledQuery", "timestream:DeleteScheduledQuery", "timestream:DescribeScheduledQuery", "timestream:ExecuteScheduledQuery", "timestream:ListScheduledQueries", "timestream:UpdateScheduledQuery", ] for action in actions: self.assertTrue(action in results) # AWS Transfer Family results = get_actions_for_service("transfer") actions = [ "transfer:CreateAccess", "transfer:CreateWorkflow", "transfer:DeleteAccess", "transfer:DeleteWorkflow", "transfer:DescribeAccess", "transfer:DescribeExecution", "transfer:DescribeWorkflow", "transfer:ListAccesses", "transfer:ListExecutions", "transfer:ListWorkflows", "transfer:SendWorkflowStepState", "transfer:UpdateAccess", ] for action in actions: self.assertTrue(action in results)
def test_get_actions_for_invalid_service(self): """querying.actions.get_actions_for_service for invalid service """ output = get_actions_for_service("invalid_service") self.assertListEqual([], output)
def test_services_with_multiple_pages_greengrass(self): """Ensure that greengrass v1 and greengrass v2 actions are both present in the greengrass namespace""" # Greengrass V1: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrass.html self.assertTrue( "greengrass:CreateResourceDefinition" in self.all_actions) # Greengrass V2: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrassv2.html self.assertTrue( "greengrass:CreateComponentVersion" in self.all_actions) results = get_actions_for_service("greengrass") actions = [ "greengrass:AssociateRoleToGroup", "greengrass:CreateConnectorDefinition", "greengrass:CreateConnectorDefinitionVersion", "greengrass:CreateCoreDefinition", "greengrass:CreateCoreDefinitionVersion", "greengrass:CreateDeviceDefinition", "greengrass:CreateDeviceDefinitionVersion", "greengrass:CreateFunctionDefinition", "greengrass:CreateFunctionDefinitionVersion", "greengrass:CreateGroup", "greengrass:CreateGroupCertificateAuthority", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateLoggerDefinitionVersion", "greengrass:CreateResourceDefinition", "greengrass:CreateResourceDefinitionVersion", "greengrass:CreateSoftwareUpdateJob", "greengrass:CreateSubscriptionDefinition", "greengrass:CreateSubscriptionDefinitionVersion", "greengrass:DeleteConnectorDefinition", "greengrass:DeleteCoreDefinition", "greengrass:DeleteDeviceDefinition", "greengrass:DeleteFunctionDefinition", "greengrass:DeleteGroup", "greengrass:DeleteLoggerDefinition", "greengrass:DeleteResourceDefinition", "greengrass:DeleteSubscriptionDefinition", "greengrass:DisassociateRoleFromGroup", "greengrass:Discover", "greengrass:GetAssociatedRole", "greengrass:GetBulkDeploymentStatus", "greengrass:GetConnectorDefinition", "greengrass:GetConnectorDefinitionVersion", "greengrass:GetCoreDefinition", "greengrass:GetCoreDefinitionVersion", "greengrass:GetDeploymentStatus", "greengrass:GetDeviceDefinition", "greengrass:GetDeviceDefinitionVersion", "greengrass:GetFunctionDefinition", "greengrass:GetFunctionDefinitionVersion", "greengrass:GetGroup", "greengrass:GetGroupCertificateAuthority", "greengrass:GetGroupCertificateConfiguration", "greengrass:GetGroupVersion", "greengrass:GetLoggerDefinition", "greengrass:GetLoggerDefinitionVersion", "greengrass:GetResourceDefinition", "greengrass:GetResourceDefinitionVersion", "greengrass:GetSubscriptionDefinition", "greengrass:GetSubscriptionDefinitionVersion", "greengrass:GetThingRuntimeConfiguration", "greengrass:ListBulkDeploymentDetailedReports", "greengrass:ListBulkDeployments", "greengrass:ListConnectorDefinitionVersions", "greengrass:ListConnectorDefinitions", "greengrass:ListCoreDefinitionVersions", "greengrass:ListCoreDefinitions", "greengrass:ListDeviceDefinitionVersions", "greengrass:ListDeviceDefinitions", "greengrass:ListFunctionDefinitionVersions", "greengrass:ListFunctionDefinitions", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListGroupVersions", "greengrass:ListGroups", "greengrass:ListLoggerDefinitionVersions", "greengrass:ListLoggerDefinitions", "greengrass:ListResourceDefinitionVersions", "greengrass:ListResourceDefinitions", "greengrass:ListSubscriptionDefinitionVersions", "greengrass:ListSubscriptionDefinitions", "greengrass:ResetDeployments", "greengrass:StartBulkDeployment", "greengrass:StopBulkDeployment", "greengrass:UpdateConnectorDefinition", "greengrass:UpdateCoreDefinition", "greengrass:UpdateDeviceDefinition", "greengrass:UpdateFunctionDefinition", "greengrass:UpdateGroup", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:UpdateLoggerDefinition", "greengrass:UpdateResourceDefinition", "greengrass:UpdateSubscriptionDefinition", "greengrass:UpdateThingRuntimeConfiguration" ] for action in actions: self.assertTrue(action in results)
def query_action_table(name, service, access_level, condition, resource_type, fmt="json"): """Query the Action Table from the Policy Sentry database. Use this one when leveraging Policy Sentry as a library.""" if os.path.exists(LOCAL_DATASTORE_FILE_PATH): logger.info( f"Using the Local IAM definition: {LOCAL_DATASTORE_FILE_PATH}. To leverage the bundled definition instead, remove the folder $HOME/.policy_sentry/" ) else: # Otherwise, leverage the datastore inside the python package logger.debug("Leveraging the bundled IAM Definition.") # Actions on all services if service == "all": all_services = get_all_service_prefixes() if access_level: level = transform_access_level_text(access_level) print(f"{access_level} actions across ALL services:\n") output = [] for serv in all_services: result = get_actions_with_access_level(serv, level) output.extend(result) print(yaml.dump(output)) if fmt == "yaml" else [ print(result) for result in output ] # Get a list of all services in the database else: print("All services in the database:\n") output = all_services print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] elif name is None and access_level and not resource_type: print( f"All IAM actions under the {service} service that have the access level {access_level}:" ) level = transform_access_level_text(access_level) output = get_actions_with_access_level(service, level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name is None and access_level and resource_type: print( f"{service} {access_level.upper()} actions that have the resource type {resource_type.upper()}:" ) access_level = transform_access_level_text(access_level) output = get_actions_with_arn_type_and_access_level( service, resource_type, access_level) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of all IAM actions under the service that support the specified condition key. elif condition: print( f"IAM actions under {service} service that support the {condition} condition only:" ) output = get_actions_matching_condition_key(service, condition) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] # Get a list of IAM Actions under the service that only support resources = "*" # (i.e., you cannot restrict it according to ARN) elif resource_type: print( f"IAM actions under {service} service that have the resource type {resource_type}:" ) output = get_actions_matching_arn_type(service, resource_type) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] elif name and access_level is None: output = get_action_data(service, name) print(yaml.dump(output)) if fmt == "yaml" else [ print(json.dumps(output, indent=4)) ] else: # Get a list of all IAM Actions available to the service output = get_actions_for_service(service) print(f"ALL {service} actions:") print(yaml.dump(output)) if fmt == "yaml" else [ print(item) for item in output ] return output
def example(): actions = get_actions_for_service('cloud9') print(actions) actions = get_actions_with_access_level('s3', 'Permissions management') print(actions)