def check_thirdparty_cross_account(self, item):
     policies = self.load_resource_policies(item)
     for policy in policies:
         for statement in policy.statements:
             if statement.effect != 'Allow':
                 continue
             for who in statement.whos_allowed():
                 entity = Entity.from_tuple(who)
                 if 'THIRDPARTY' in self.inspect_entity(entity, item):
                     self.record_thirdparty_access(item, entity, list(statement.actions))
 def check_root_cross_account(self, item):
     policies = self.load_resource_policies(item)
     for policy in policies:
         for statement in policy.statements:
             if statement.effect != 'Allow':
                 continue
             for who in statement.whos_allowed():
                 if who.category not in ['arn', 'principal']:
                     continue
                 if who.value == '*':
                     continue
                 arn = ARN(who.value)
                 entity = Entity.from_tuple(who)
                 if arn.root and self.inspect_entity(entity, item).intersection(set(['FRIENDLY', 'THIRDPARTY', 'UNKNOWN'])):
                     self.record_cross_account_root(item, entity, list(statement.actions))
    def check_unknown_cross_account(self, item):
        policies = self.load_resource_policies(item)
        for policy in policies:
            if policy.is_internet_accessible():
                continue
            for statement in policy.statements:
                if statement.effect != 'Allow':
                    continue
                for who in statement.whos_allowed():
                    if who.value == '*' and who.category == 'principal':
                        continue

                    # Ignore Service Principals
                    if who.category == 'principal':
                        arn = ARN(who.value)
                        if arn.service:
                            continue

                    entity = Entity.from_tuple(who)
                    if 'UNKNOWN' in self.inspect_entity(entity, item):
                        self.record_unknown_access(item, entity, list(statement.actions))
    def test_inspect_entity(self):
        rpa = ResourcePolicyAuditor(accounts=["012345678910"])
        rpa.prep_for_audit()

        # All conditions are SAME account.
        policy01 = dict(
            Version='2010-08-14',
            Statement=[
                dict(Effect='Allow',
                     Principal='arn:aws:iam::012345678910:root',
                     Action=['ec2:*'],
                     Resource='*',
                     Condition={
                         'StringEquals': {
                             'AWS:SourceOwner': '012345678910',
                             'AWS:SourceARN': 'arn:aws:iam::012345678910:root',
                             'AWS:SourceVPC': 'vpc-11111111',
                             'AWS:Sourcevpce': 'vpce-11111111',
                             'AWS:username': '******'
                         },
                         'StringLike': {
                             'AWS:userid': [
                                 'AIDA11111111111111111:*',
                                 'AISA11111111111111111:*'
                             ]
                         },
                         'IpAddress': {
                             'AWS:SourceIP':
                             ['54.11.11.11', '10.1.1.1/18', '172.16.11.11']
                         }
                     })
            ])

        test_item = Item(account='TEST_ACCOUNT', config=None)
        policy = Policy(policy01)
        for who in policy.whos_allowed():
            entity = Entity.from_tuple(who)
            self.assertEqual(set(['SAME']),
                             rpa.inspect_entity(entity, test_item))

        # All conditions are FRIENDLY account.
        policy02 = dict(
            Version='2010-08-14',
            Statement=[
                dict(Effect='Allow',
                     Principal='arn:aws:iam::222222222222:root',
                     Action=['ec2:*'],
                     Resource='*',
                     Condition={
                         'StringEquals': {
                             'AWS:SourceOwner': '222222222222',
                             'AWS:SourceARN':
                             'arn:aws:s3:::my-test-s3-bucket-two',
                             'AWS:SourceVPC': 'vpc-22222222',
                             'AWS:Sourcevpce': 'vpce-22222222',
                             'AWS:username': '******'
                         },
                         'StringLike': {
                             'AWS:userid': [
                                 'AIDA22222222222222222:*',
                                 'AISA22222222222222222:*'
                             ]
                         },
                         'IpAddress': {
                             'AWS:SourceIP':
                             ['54.22.22.22', '10.2.2.2/18', '172.16.22.22']
                         }
                     })
            ])

        test_item = Item(account='TEST_ACCOUNT', config=None)
        policy = Policy(policy02)
        for who in policy.whos_allowed():
            entity = Entity.from_tuple(who)
            self.assertEqual(set(['FRIENDLY']),
                             rpa.inspect_entity(entity, test_item))

        # All conditions are THIRDPARTY account.
        policy03 = dict(
            Version='2010-08-14',
            Statement=[
                dict(Effect='Allow',
                     Principal='arn:aws:iam::333333333333:root',
                     Action=['ec2:*'],
                     Resource='*',
                     Condition={
                         'StringEquals': {
                             'AWS:SourceOwner': '333333333333',
                             'AWS:SourceARN': 'arn:aws:iam::333333333333:root',
                             'AWS:SourceVPC': 'vpc-33333333',
                             'AWS:Sourcevpce': 'vpce-33333333',
                             'AWS:username': '******'
                         },
                         'StringLike': {
                             'AWS:userid': [
                                 'AIDA33333333333333333:*',
                                 'AISA33333333333333333:*'
                             ]
                         },
                         'IpAddress': {
                             'AWS:SourceIP':
                             ['54.33.33.33', '10.3.3.3/18', '172.16.33.33']
                         }
                     })
            ])

        test_item = Item(account='TEST_ACCOUNT', config=None)
        policy = Policy(policy03)
        for who in policy.whos_allowed():
            entity = Entity.from_tuple(who)
            self.assertEqual(set(['THIRDPARTY']),
                             rpa.inspect_entity(entity, test_item))

        # All conditions are from an UNKNOWN account.
        policy04 = dict(
            Version='2010-08-14',
            Statement=[
                dict(Effect='Allow',
                     Principal='arn:aws:iam::444444444444:root',
                     Action=['ec2:*'],
                     Resource='*',
                     Condition={
                         'StringEquals': {
                             'AWS:SourceOwner': '444444444444',
                             'AWS:SourceARN': 'arn:aws:iam::444444444444:root',
                             'AWS:SourceVPC': 'vpc-44444444',
                             'AWS:Sourcevpce': 'vpce-44444444',
                             'AWS:username': '******'
                         },
                         'StringLike': {
                             'AWS:userid': [
                                 'AIDA44444444444444444:*',
                                 'AISA44444444444444444:*'
                             ]
                         },
                         'IpAddress': {
                             'AWS:SourceIP':
                             ['54.44.44.44', '10.4.4.4/18', '172.16.44.44']
                         }
                     })
            ])

        test_item = Item(account='TEST_ACCOUNT', config=None)
        policy = Policy(policy04)
        for who in policy.whos_allowed():
            entity = Entity.from_tuple(who)
            self.assertEqual(set(['UNKNOWN']),
                             rpa.inspect_entity(entity, test_item))