def get_action_access_level_overrides_from_yml(service, access_level_overrides_file_path=None):
"""
Read the YML overrides file, which is formatted like: ['ec2']['permissions-management'][action_name].
Since the AWS Documentation is sometimes outdated, we can use this YML file to
override whatever they provide in their documentation.
"""
if not access_level_overrides_file_path:
access_level_overrides_file_path = os.path.abspath(os.path.dirname(__file__)) + '/data/access-level-overrides.yml'
cfg = read_yaml_file(access_level_overrides_file_path)
if service in cfg:
return cfg[service]
else:
return False
def write_policy(input_file, crud, minimize):
"""
Write a least-privilege IAM Policy by supplying either a list of actions or
access levels specific to resource ARNs!
"""
# TODO: JSON Validation function
db_session = connect_db(DATABASE_FILE_PATH)
cfg = read_yaml_file(input_file)
# User supplies file containing resource-specific access levels
if crud:
policy = write_policy_with_access_levels(cfg, db_session, minimize)
# User supplies file containing a list of IAM actions
else:
policy = write_policy_with_actions(cfg, db_session, minimize)
print(json.dumps(policy, indent=4))
return policy
def write_policy(input_file, crud, minimize):
"""
Write a least-privilege IAM Policy by supplying either a list of actions or access levels specific to resource ARNs!
"""
# TODO: JSON Validation function
home = str(Path.home())
config_directory = '/.policy_sentry/'
database_file_name = 'aws.sqlite3'
database_path = home + config_directory + database_file_name
db_session = connect_db(database_path)
cfg = read_yaml_file(input_file)
# User supplies file containing resource-specific access levels
if crud:
policy = write_policy_with_access_levels(cfg, db_session, minimize)
# User supplies file containing a list of IAM actions
else:
policy = write_policy_with_actions(cfg, db_session, minimize)
print(json.dumps(policy, indent=4))
return policy
def write_policy_dir(input_dir, output_dir, crud, minimize):
"""
write_policy, but this time with an input directory of YML/YAML files, and an output directory for all the JSON files
"""
home = str(Path.home())
config_directory = '/.policy_sentry/'
database_file_name = 'aws.sqlite3'
database_path = home + config_directory + database_file_name
db_session = connect_db(database_path)
input_dir = os.path.abspath(input_dir)
output_dir = os.path.abspath(output_dir)
if not crud:
print(
"Warning: If you are using ARNs from Terraform to generate your policies, "
"try using the CRUD functionality instead of the default actions-based policy writing functionality."
)
if not minimize:
print(
"Warning: --minimize option is not set. If the policy is too large, "
"it can hit the AWS IAM Policy character limit. "
"We'll execute as-is, but try using `--minimize 0` functionality "
"for production to optimize policy size.\n")
# Construct the path
# Get the list of files
# Write a list of the names
if not check_valid_file_path(input_dir):
print("Input directory is invalid")
sys.exit()
if not check_valid_file_path(output_dir):
print("Output directory is invalid")
sys.exit()
input_files = glob.glob(str(input_dir + '/*.yml'), recursive=False)
if not input_files:
print(
"Directory is empty or does not have files with *.yml extension. "
"Please check the folder contents and/or extension spelling.")
print("Writing the policy JSON files from " + input_dir + " to " +
output_dir + "...\n")
for yaml_file in input_files:
# Get the name of the file, and strip the extension. This is what the policy name will be
base_name = os.path.basename(yaml_file)
base_name_no_extension = os.path.splitext(
os.path.basename(yaml_file))[0]
cfg = read_yaml_file(yaml_file)
# User supplies file containing resource-specific access levels
if crud:
policy = write_policy_with_access_levels(cfg, db_session, minimize)
# User supplies file containing a list of IAM actions
else:
policy = write_policy_with_actions(cfg, db_session, minimize)
print("Writing policy for " + base_name + '\n')
target_file = str(output_dir + '/' + base_name_no_extension + '.json')
if os.path.exists(target_file):
print(
"Target file for " + base_name_no_extension + '.json' +
" exists in the target directory. Removing it and writing a new file.\n"
)
os.remove(target_file)
write_json_file(target_file, policy)
print("Finished")
def load_report_config_file(filename):
"""Read the Report config file and return the rendered dict"""
report_config_file = read_yaml_file(filename)
return report_config_file
