def test_gh_109_full_access_policy(self):
test_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
]
}
exclusions_cfg_custom = {}
results = scan_policy(test_policy, exclusions_cfg_custom)
self.assertTrue(len(results.get("ServiceWildcard")) > 150)
self.assertTrue(len(results.get("ServicesAffected")) > 150)
test_policy = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
},
]
}
results = scan_policy(test_policy, exclusions_cfg_custom)
# print(json.dumps(results, indent=4))
self.assertTrue(len(results.get("ServiceWildcard")) > 150)
self.assertTrue(len(results.get("ServicesAffected")) > 150)
def test_excluded_actions_scan_policy_file(self):
"""Test the scan_policy command when we have excluded actions"""
test_policy = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "iam:CreateAccessKey"],
"Resource": "*"
},
]
}
results = scan_policy(test_policy, "test", DEFAULT_EXCLUSIONS_CONFIG)
# print(json.dumps(results, indent=4))
expected_results_before_exclusion = [{
"AccountID":
"N/A",
"ManagedBy":
"Customer",
"PolicyName":
"test",
"Type":
"",
"Arn":
"test",
"ActionsCount":
2,
"ServicesCount":
2,
"Services": ["iam", "s3"],
"Actions": ["iam:CreateAccessKey", "s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "iam:CreateAccessKey"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument":
None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [{
"type": "CreateAccessKey",
"actions": ["iam:createaccesskey"]
}],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": ["iam:CreateAccessKey"]
}]
self.assertListEqual(results, expected_results_before_exclusion)
expected_results_after_exclusion = []
exclusions_cfg_custom = {
"exclude-actions": ["s3:GetObject", "iam:CreateAccessKey"]
}
results = scan_policy(test_policy, "test", exclusions_cfg_custom)
# print(json.dumps(results, indent=4))
self.assertListEqual(results, expected_results_after_exclusion)
def test_excluded_actions_scan_policy_file_v2(self):
"""test_excluded_actions_scan_policy_file_v2: Test the scan_policy command when we have excluded actions"""
test_policy = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "iam:CreateAccessKey"],
"Resource": "*"
},
]
}
expected_results = {
"ServiceWildcard": [],
"ServicesAffected": ["iam", "s3"],
"PrivilegeEscalation": [{
"type": "CreateAccessKey",
"actions": ["iam:createaccesskey"]
}],
"ResourceExposure": ["iam:CreateAccessKey"],
"DataExfiltration": ["s3:GetObject"],
"CredentialsExposure": ["iam:CreateAccessKey"],
"InfrastructureModification": ["iam:CreateAccessKey"]
}
exclusions_cfg_custom = {}
results = scan_policy(test_policy, exclusions_cfg_custom)
# print(json.dumps(results, indent=4))
self.maxDiff = None
self.assertDictEqual(results, expected_results)
def test_excluded_actions_scan_policy_file_v2(self):
"""test_excluded_actions_scan_policy_file_v2: Test the scan_policy command when we have excluded actions"""
test_policy = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "iam:CreateAccessKey"],
"Resource": "*"
},
]
}
expected_results_after_exclusion = {}
exclusions_cfg_custom = {
"users": ["MyRole"],
"groups": ["obama"],
"roles": ["admin"],
"exclude-actions": ["s3:GetObject", "iam:CreateAccessKey"]
}
exclusions = Exclusions(exclusions_cfg_custom)
results = scan_policy(test_policy, "test", exclusions)
# print(json.dumps(results, indent=4))
self.maxDiff = None
self.assertDictEqual(results, expected_results_after_exclusion)
def test_checkov_gh_990_condition_restricted_action(self):
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Sid": "RestrictedWithConditions",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.0.2.0/24"
},
"NotIpAddress": {
"aws:SourceIp": "192.0.2.188/32"
}
}
}]
}
exclusions_cfg_custom = {}
results = scan_policy(test_policy, exclusions_cfg_custom)
print(json.dumps(results, indent=4))
self.assertListEqual(results.get("InfrastructureModification"), [])
self.assertListEqual(results.get("DataExfiltration"), [])
self.assertListEqual(results.get("ServicesAffected"), [])
test_policy_without_condition = {
"Version":
"2012-10-17",
"Statement": [{
"Sid": "Unrestricted",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
}]
}
results = scan_policy(test_policy_without_condition,
exclusions_cfg_custom)
print(json.dumps(results, indent=4))
self.assertListEqual(results.get("InfrastructureModification"), [])
self.assertListEqual(results.get("DataExfiltration"), ["s3:GetObject"])
self.assertListEqual(results.get("ServicesAffected"), ["s3"])
def test_policy_file(self):
example_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories", "ecr:ListImages",
"ecr:DescribeImages", "ecr:BatchGetImage",
"ecr:InitiateLayerUpload", "ecr:UploadLayerPart",
"ecr:CompleteLayerUpload", "ecr:PutImage"
],
"Resource":
"*"
}, {
"Sid":
"AllowManageOwnAccessKeys",
"Effect":
"Allow",
"Action": [
"iam:CreateAccessKey", "iam:DeleteAccessKey",
"iam:ListAccessKeys", "iam:UpdateAccessKey"
],
"Resource":
"arn:aws:iam::*:user/${aws:username}"
}]
}
expected_results = {
"ServicesAffected": ["ecr"],
"PrivilegeEscalation": [],
"ResourceExposure": [],
"DataExfiltration": [],
"ServiceWildcard": [],
"CredentialsExposure": ["ecr:GetAuthorizationToken"],
"InfrastructureModification": [
"ecr:CompleteLayerUpload", "ecr:InitiateLayerUpload",
"ecr:PutImage", "ecr:UploadLayerPart"
]
}
results = scan_policy(example_policy)
# print(json.dumps(results, indent=4))
self.maxDiff = None
self.assertDictEqual(results, expected_results)
async def scan_iam_policy(item: ScanPolicyInput):
if item.include_actions is None:
include_actions = INCLUDE_ACTIONS_DEFAULT
else:
include_actions = item.include_actions
if item.exclude_actions is None:
exclude_actions = EXCLUDE_ACTIONS_DEFAULT
else:
exclude_actions = item.exclude_actions
exclusions_cfg = {
"exclude-actions": exclude_actions,
"include-actions": include_actions
}
body = scan_policy(item.policy_document, exclusions_cfg)
return body
def lambda_handler(event, context):
request_data = json.loads(event.get("body"))
policy_document = request_data.get('policy_document')
include_actions = request_data.get('include_actions')
exclude_actions = request_data.get('exclude_actions')
# If include_actions is not included in the request, then just give it the default values.
if not include_actions:
include_actions = [
"s3:GetObject", "ssm:GetParameter", "ssm:GetParameters",
"ssm:GetParametersByPath", "secretsmanager:GetSecretValue",
"rds:CopyDBSnapshot", "rds:CreateDBSnapshot"
]
if not exclude_actions:
exclude_actions = []
exclusions_cfg = {
"exclude-actions": exclude_actions,
"include-actions": include_actions
}
body = scan_policy(policy_document, exclusions_cfg)
response = {"statusCode": 200, "body": json.dumps(body)}
return response
def test_policy_file(self):
policy_test_file = os.path.abspath(
os.path.join(
os.path.dirname(__file__),
os.path.pardir,
"files",
"test_policy_file.json",
)
)
# print(expected_results_file)
with open(policy_test_file) as json_file:
example_policy = json.load(json_file)
expected_results = [
{
"AccountID": "N/A",
"ManagedBy": "Customer",
"PolicyName": "test",
"Type": "",
"Arn": "test",
"ActionsCount": 4,
"ServicesCount": 1,
"Services": [
"ecr"
],
"Actions": [
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": [],
"PermissionsManagementActions": []
}
]
results = scan_policy(example_policy, "test", DEFAULT_EXCLUSIONS_CONFIG)
# print(json.dumps(results, indent=4))
self.assertListEqual(results, expected_results)
def test_gh_254_all_risky_actions_scan_policy(self):
policy_with_resource_constraints = {
"Version":
"2012-10-17",
"Statement": [
# Privilege Escalation
{
"Effect": "Allow",
"Action": ["iam:UpdateAssumeRolePolicy", "sts:AssumeRole"],
"Resource": "arn:aws:iam::111122223333:role/MyRole"
},
# Data Exfiltration
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
"Resource": "arn:aws:s3:::mybucket/*"
},
# Resource Expsoure
{
"Effect": "Allow",
"Action": [
"s3:PutBucketAcl",
],
"Resource": "arn:aws:s3:::mybucket"
},
# Credentials Exposure
{
"Effect": "Allow",
"Action": [
"iam:UpdateAccessKey",
],
"Resource": "arn:aws:iam::111122223333:user/MyUser"
},
# Infrastructure Modification
{
"Effect":
"Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
],
"Resource":
"arn:aws:ec2:us-east-1:111122223333:security-group/sg-12345678"
}
]
}
results = scan_policy(policy_with_resource_constraints,
flag_resource_arn_statements=True,
flag_conditional_statements=True)
expected_results = {
"ServiceWildcard": [],
"ServicesAffected": ["ec2", "iam", "s3", "sts"],
"PrivilegeEscalation": [{
"type":
"UpdateRolePolicyToAssumeIt",
"actions": ["iam:updateassumerolepolicy", "sts:assumerole"]
}],
"ResourceExposure": [
"iam:UpdateAssumeRolePolicy", "s3:PutBucketAcl",
"iam:UpdateAccessKey"
],
"DataExfiltration": ["s3:GetObject"],
"CredentialsExposure": ["iam:UpdateAccessKey", "sts:AssumeRole"],
"InfrastructureModification": [
"ec2:AuthorizeSecurityGroupIngress", "iam:UpdateAccessKey",
"iam:UpdateAssumeRolePolicy", "s3:GetObject",
"s3:PutBucketAcl", "sts:AssumeRole"
]
}
# print(json.dumps(results, indent=4))
self.assertDictEqual(results, expected_results)
