def check_for_wildcards( self, result: Result, logical_id: str, resource: PolicyDocument, resource_type: str, extras: Optional[Dict] = None, ): for statement in resource.statement_as_list(): if statement.Effect == "Allow" and statement.principals_with( self.FULL_REGEX): for principal in statement.get_principal_list(): account_id_match = self.IAM_PATTERN.match( principal) or self.AWS_ACCOUNT_ID_PATTERN.match( principal) account_id = account_id_match.group( 1) if account_id_match else None # Check if account ID is allowed. `self._get_allowed_from_config()` used here # to reduce number of false negatives and only allow exemptions for accounts # which belong to AWS Services (such as ELB and ElastiCache). if account_id in self._get_allowed_from_config(): continue if statement.Condition and statement.Condition.dict(): # Ignoring condition checks since they will get reviewed in other rules and future improvements continue else: self.add_failure_to_result( result, self.REASON_WILDCARD_PRINCIPAL.format( logical_id, principal), resource_ids={logical_id}, resource_types={resource_type}, context={ "config": self._config, "extras": extras, "logical_id": logical_id, "resource": resource, "statement": statement, "principal": principal, "account_id": account_id, }, )
def check_for_wildcards( self, result: Result, logical_id: str, resource: PolicyDocument, resource_type: str, extras: Optional[Dict] = None, ): for statement in resource.statement_as_list(): filtered_principals = statement.principals_with(self.FULL_REGEX) if statement.Effect == "Allow" and filtered_principals: for principal in filtered_principals: # if we can't find the account ID it might be a canonical ID identifier = get_account_id_from_principal( principal) or principal # Check if account ID / canonical ID is allowed. `self._get_allowed_from_config()` used here # to reduce number of false negatives and only allow exemptions for accounts # which belong to AWS Services (such as ELB and ElastiCache). if identifier in self._get_allowed_from_config(): continue if statement.Condition and statement.Condition.dict(): # Ignoring condition checks since they will get reviewed in other rules and future improvements continue else: self.add_failure_to_result( result, self.REASON_WILDCARD_PRINCIPAL.format( logical_id, principal), resource_ids={logical_id}, resource_types={resource_type}, context={ "config": self._config, "extras": extras, "logical_id": logical_id, "resource": resource, "statement": statement, "principal": principal, "account_id": identifier, }, )