def test_missing_access_levels(self):
"""
test_missing_access_levels: write-policy --crud command when YAML File is missing access levels
:return:
"""
cfg_with_missing_access_levels = {
"roles_with_crud_levels": [{
"name":
"RoleNameWithCRUD",
"description":
"Why I need these privs",
"arn":
"arn:aws:iam::559410426617:role/RiskyEC2",
"list": [
"arn:aws:s3:::example-org-flow-logs",
"arn:aws:s3:::example-org-sbx-vmimport/stuff"
],
"tag": ["arn:aws:ssm:us-east-1:123456789012:parameter/test"],
"permissions-management":
["arn:aws:s3:::example-org-s3-access-logs"]
}]
}
with self.assertRaises(SystemExit):
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(
cfg_with_missing_access_levels, db_session)
def test_wildcard_when_not_necessary(self):
"""test_wildcard_when_not_necessary: Attempts bypass of CRUD mode wildcard-only"""
cfg = {
'roles_with_crud_levels': [{
'name':
'RoleNameWithCRUD',
'description':
'Why I need these privs',
'arn':
'arn:aws:iam::123456789012:role/RiskyEC2',
'permissions-management':
['arn:aws:s3:::example-org-s3-access-logs'],
'wildcard': [
# The first three are legitimately wildcard only.
# Verify with `policy_sentry query action-table --service secretsmanager --wildcard-only`
'ram:enablesharingwithawsorganization',
'ram:getresourcepolicies',
'secretsmanager:createsecret',
# This last one can be "secret" ARN type OR wildcard. We want to prevent people from
# bypassing this mechanism, while allowing them to explicitly
# request specific privs that require wildcard mode. This next value -
# secretsmanager:putsecretvalue - is an example of someone trying to beat the tool.
'secretsmanager:putsecretvalue'
]
}]
}
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(
cfg, db_session)
output = print_policy(arn_dict, db_session, None)
print(json.dumps(output, indent=4))
desired_output = {
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"MultMultNone",
"Effect":
"Allow",
"Action": [
"ram:enablesharingwithawsorganization",
"ram:getresourcepolicies", "secretsmanager:createsecret"
],
"Resource": ["*"]
}, {
"Sid":
"S3PermissionsmanagementBucket",
"Effect":
"Allow",
"Action": [
"s3:deletebucketpolicy", "s3:putbucketacl",
"s3:putbucketpolicy", "s3:putbucketpublicaccessblock"
],
"Resource": ["arn:aws:s3:::example-org-s3-access-logs"]
}]
}
self.maxDiff = None
self.assertDictEqual(output, desired_output)
def write_policy_with_access_levels(cfg, db_session, minimize_statement=False):
"""
Writes an IAM policy given a dict containing Access Levels and ARNs.
"""
arn_action_group = ArnActionGroup()
arn_dict = arn_action_group.process_resource_specific_acls(cfg, db_session)
policy = print_policy(arn_dict, db_session, minimize_statement)
return policy