def test_group_membership_finding(self):
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
}
policy_document = PolicyDocument(test_policy)
exclusions_cfg = dict(users=["obama"],
groups=["admin"],
roles=["MyRole"],
policies=["AWSLambdaFullAccess"])
exclusions = Exclusions(exclusions_cfg)
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/GroupShouldBeEmpty",
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions,
members=["obama"])
result = group_finding.is_excluded(exclusions)
self.assertListEqual(result, [])
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/GroupShouldBeEmpty",
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions,
members=["yolo"])
self.assertFalse(group_finding.is_excluded(exclusions))
def test_finding_actions_included(self):
test_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"ec2:DescribeInstances", # This is a bad thing to include, but just for the hell of it
],
"Resource": "*"
}
]
}
policy_document = PolicyDocument(test_policy)
# (2) INCLUDE actions
exclusions_cfg = {
"users": ["obama"],
"groups": ["admin"],
"roles": ["MyRole"],
"policies": ["someOtherName"],
"include-actions": [
"ec2:DescribeInstances"
],
"exclude-actions": [
"s3:GetObject",
],
}
exclusions = Exclusions(exclusions_cfg)
finding = Finding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/SNSNotifications",
actions=["s3:GetObject", "ec2:DescribeInstances"],
policy_document=policy_document,
exclusions=exclusions
)
# print(finding.actions)
expected_results = [
"ec2:DescribeInstances",
]
self.assertListEqual(finding.actions, expected_results)
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/SNSNotifications",
actions=["s3:GetObject", "ec2:DescribeInstances"],
policy_document=policy_document,
exclusions=exclusions,
members=None
)
self.assertListEqual(group_finding.actions, expected_results)
def test_new_findings(self):
"""output.new_findings.Findings"""
self.maxDiff = None
test_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
}
policy_document = PolicyDocument(test_policy)
# (1) If the user is a member of an excluded group, return True
exclusions_cfg = dict(users=["obama"],
groups=["exclude-group"],
roles=["MyRole"],
policies=["exclude-policy"])
exclusions = Exclusions(exclusions_cfg)
attached_managed_policies = [{
"PolicyArn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess"
}]
# Let's just re-use the same policy for users groups and roles
user_finding = UserFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:user/SomeUser",
actions=["s3:GetObject"],
policy_document=policy_document,
group_membership=["admin"],
attached_managed_policies=attached_managed_policies,
exclusions=exclusions)
group_finding = GroupFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:group/SomeGroup",
actions=["s3:GetObject"],
policy_document=policy_document,
members=["obama"],
exclusions=exclusions)
trust_policy_from_compute_service_ecs_tasks = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root",
}
}]
}
assume_role_policy_document = AssumeRolePolicyDocument(
trust_policy_from_compute_service_ecs_tasks)
role_finding = RoleFinding(
policy_name="MyPolicy",
arn="arn:aws:iam::123456789012:role/SomeRole",
actions=["s3:GetObject"],
policy_document=policy_document,
assume_role_policy_document=assume_role_policy_document,
exclusions=exclusions)
policy_finding = PolicyFinding(
policy_name="AWSLambdaFullAccess",
arn="arn:aws:iam::aws:policy/AWSLambdaFullAccess",
actions=["s3:GetObject"],
policy_document=policy_document,
exclusions=exclusions)
all_findings = Findings(exclusions)
all_findings.add_user_finding(user_finding)
result = all_findings.users[0]
expected_user_result = {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}
self.assertDictEqual(result.json, expected_user_result)
principal_policy_mapping = [
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeUser",
"Type": "User",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "AWSLambdaFullAccess",
"GroupMembership": None,
},
{
"Principal": "SomeGroup",
"Type": "Group",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
{
"Principal": "SomeRole",
"Type": "Role",
"PolicyType": "Managed",
"ManagedBy": "AWS",
"PolicyName": "MyPolicy",
"GroupMembership": None,
},
]
all_findings.principal_policy_mapping = principal_policy_mapping
all_findings.add_group_finding(group_finding)
all_findings.add_role_finding(role_finding)
all_findings.add_policy_finding(policy_finding)
print(len(all_findings))
self.assertEqual(len(all_findings), 4)
results = all_findings.json
expected_results = [{
"AccountID": "N/A",
"ManagedBy": "AWS",
"Name": "AWSLambdaFullAccess",
"PolicyName": "AWSLambdaFullAccess",
"Type": "Policy",
"Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeUser",
"PolicyName": "MyPolicy",
"Type": "User",
"Arn": "arn:aws:iam::123456789012:user/SomeUser",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeGroup",
"PolicyName": "MyPolicy",
"Type": "Group",
"Arn": "arn:aws:iam::123456789012:group/SomeGroup",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": None,
"AssumableByComputeService": [],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}, {
"AccountID": "123456789012",
"ManagedBy": "Customer",
"Name": "SomeRole",
"PolicyName": "MyPolicy",
"Type": "Role",
"Arn": "arn:aws:iam::123456789012:role/SomeRole",
"ActionsCount": 1,
"ServicesCount": 1,
"Services": ["s3"],
"Actions": ["s3:GetObject"],
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}]
},
"AssumeRolePolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
"AWS": "arn:aws:iam::012345678910:root"
}
}]
},
"AssumableByComputeService": ["ecs-tasks"],
"PrivilegeEscalation": [],
"DataExfiltrationActions": ["s3:GetObject"],
"PermissionsManagementActions": []
}]
# print(json.dumps(all_findings.json, indent=4))
self.assertListEqual(results, expected_results)
def scan_principal_type_details(
self,
principal_type_detail_list,
exclusions=DEFAULT_EXCLUSIONS,
modify_only=True,
):
"""Scan the UserDetailList, GroupDetailList, or RoleDetailList
blocks of the account authorization details output."""
if not isinstance(exclusions, Exclusions):
raise Exception(
"The provided exclusions is not the Exclusions object type. "
"Please use the Exclusions object.")
for principal in principal_type_detail_list.principals:
print(f"Scanning {principal.principal_type}: {principal.name}")
for policy in principal.policy_list:
print(f"\tScanning Policy: {policy['PolicyName']}")
if exclusions.is_policy_excluded(policy["PolicyName"]):
pass
elif principal.is_principal_excluded(exclusions):
print(f"\tExcluded principal name: {principal.name}")
else:
policy_document = policy["PolicyDocument"]
actions_missing_resource_constraints = []
for statement in policy_document.statements:
if modify_only:
if statement.effect == "Allow":
actions_missing_resource_constraints.extend(
statement.
missing_resource_constraints_for_modify_actions(
exclusions))
else:
if statement.effect == "Allow":
actions_missing_resource_constraints.extend(
statement.missing_resource_constraints(
exclusions))
if actions_missing_resource_constraints:
if principal.principal_type == "User":
user_finding = UserFinding(
policy_name=policy["PolicyName"],
arn=principal.arn,
actions=actions_missing_resource_constraints,
policy_document=policy["PolicyDocument"],
exclusions=exclusions,
attached_managed_policies=principal.
attached_managed_policies,
group_membership=principal.group_member,
)
self.findings.add_user_finding(user_finding)
elif principal.principal_type == "Group":
group_finding = GroupFinding(
policy_name=policy["PolicyName"],
arn=principal.arn,
actions=actions_missing_resource_constraints,
policy_document=policy["PolicyDocument"],
exclusions=exclusions,
members=principal.members,
attached_managed_policies=principal.
attached_managed_policies,
)
logger.debug(
f"scan_principal_type_details: The Group {principal.name} has the members {principal.members}"
)
self.findings.add_group_finding(group_finding)
elif principal.principal_type == "Role":
role_finding = RoleFinding(
policy_name=policy["PolicyName"],
arn=principal.arn,
actions=actions_missing_resource_constraints,
policy_document=policy["PolicyDocument"],
exclusions=exclusions,
assume_role_policy_document=principal.
assume_role_policy_document,
attached_managed_policies=principal.
attached_managed_policies,
)
self.findings.add_role_finding(role_finding)