def test_failures_for_correct_account_ids(intra_account_root_access):
rule = PartialWildcardPrincipalRule(Config(aws_account_id="123456789012"))
result = rule.invoke(intra_account_root_access)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789012:root')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"AccLoadBalancerAccessLogBucketPolicy"},
resource_types={"AWS::S3::BucketPolicy"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: '987654321012')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"AccLoadBalancerAccessLogBucketPolicy"},
resource_types={"AWS::S3::BucketPolicy"},
),
],
)
def test_failures_are_raised(bad_template):
result = Result()
rule = PartialWildcardPrincipalRule(None, result)
rule.invoke(bad_template)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 4
assert result.failed_monitored_rules[
0].rule == "PartialWildcardPrincipalRule"
assert result.failed_monitored_rules[
0].reason == "PolicyA contains an unknown principal: 123445"
assert result.failed_monitored_rules[
1].rule == "PartialWildcardPrincipalRule"
assert (
result.failed_monitored_rules[1].reason ==
"PolicyA should not allow wildcard in principals or account-wide principals "
"(principal: 'arn:aws:iam::123445:12345*')")
assert result.failed_monitored_rules[
2].rule == "PartialWildcardPrincipalRule"
assert result.failed_monitored_rules[
2].reason == "PolicyA contains an unknown principal: 123445"
assert result.failed_monitored_rules[
3].rule == "PartialWildcardPrincipalRule"
assert (
result.failed_monitored_rules[3].reason ==
"PolicyA should not allow wildcard in principals or account-wide principals "
"(principal: 'arn:aws:iam::123445:root')")
def test_failures_are_raised(bad_template):
rule = PartialWildcardPrincipalRule(None)
result = rule.invoke(bad_template)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:12345*')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:root')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
],
)
def test_no_failures_are_raised(good_template):
rule = PartialWildcardPrincipalRule(None)
result = rule.invoke(good_template)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_failures_are_raised(bad_template):
rule = PartialWildcardPrincipalRule(None)
result = rule.invoke(bad_template)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123445:12345*'",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123445:root'",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason="PolicyA should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'eb2fe74dc7e8125d8f8fcae89d90e6dfdecabf896e1a69d55e949b009fd95a97'",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"PolicyA"},
resource_types={"AWS::IAM::Policy"},
),
],
)
def test_no_failures_are_raised(good_template):
rule = PartialWildcardPrincipalRule(None)
result = rule.invoke(good_template)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_rule_supports_filter_config(bad_template, default_allow_all_config):
rule = PartialWildcardPrincipalRule(default_allow_all_config)
result = rule.invoke(bad_template)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_aws_elb_allow_template(aws_elb_allow_template):
rule = PartialWildcardPrincipalRule(None)
result = rule.invoke(aws_elb_allow_template)
assert result.valid
assert compare_lists_of_failures(result.failures, [])