def repo_stats(output_file, dynamo_table, account_number=None):
"""
Create a csv file with stats about roles, total permissions, and applicable filters over time
Args:
output_file (string): the name of the csv file to write
account_number (string): if specified only display roles from selected account, otherwise display all
Returns:
None
"""
roleIDs = (role_ids_for_account(dynamo_table, account_number) if account_number else
role_ids_for_all_accounts(dynamo_table))
headers = ['RoleId', 'Role Name', 'Account', 'Active', 'Date', 'Source', 'Permissions Count',
'Repoable Permissions Count', 'Disqualified By']
rows = []
for roleID in roleIDs:
role_data = get_role_data(dynamo_table, roleID, fields=['RoleId', 'RoleName', 'Account', 'Active', 'Stats'])
for stats_entry in role_data.get('Stats', []):
rows.append([role_data['RoleId'], role_data['RoleName'], role_data['Account'], role_data['Active'],
stats_entry['Date'], stats_entry['Source'], stats_entry['PermissionsCount'],
stats_entry.get('RepoablePermissionsCount'), stats_entry.get('DisqualifiedBy', [])])
try:
with open(output_file, 'wb') as csvfile:
csv_writer = csv.writer(csvfile)
csv_writer.writerow(headers)
for row in rows:
csv_writer.writerow(row)
except IOError as e:
LOGGER.error('Unable to write file {}: {}'.format(output_file, e))
else:
LOGGER.info('Successfully wrote stats to {}'.format(output_file))
def _repo_stats(output_file: str, account_number: str = "") -> None:
"""
Create a csv file with stats about roles, total permissions, and applicable filters over time
Args:
output_file (string): the name of the csv file to write
account_number (string): if specified only display roles from selected account, otherwise display all
Returns:
None
"""
role_ids: Iterable[str]
if account_number:
access_advisor_datasource = AccessAdvisorDatasource()
access_advisor_datasource.seed(account_number)
iam_datasource = IAMDatasource()
role_ids = iam_datasource.seed(account_number)
else:
role_ids = role_ids_for_all_accounts()
headers = [
"RoleId",
"Role Name",
"Account",
"Active",
"Date",
"Source",
"Permissions Count",
"Repoable Permissions Count",
"Disqualified By",
]
rows = []
roles = RoleList.from_ids(
role_ids, fields=["RoleId", "RoleName", "Account", "Active", "Stats"])
for role in roles:
for stats_entry in role.stats:
rows.append([
role.role_id,
role.role_name,
role.account,
role.active,
stats_entry["Date"],
stats_entry["Source"],
stats_entry["PermissionsCount"],
stats_entry.get("RepoablePermissionsCount", 0),
stats_entry.get("DisqualifiedBy", []),
])
try:
with open(output_file, "w") as csvfile:
csv_writer = csv.writer(csvfile)
csv_writer.writerow(headers)
for row in rows:
csv_writer.writerow(row)
except IOError as e:
LOGGER.error("Unable to write file {}: {}".format(output_file, e),
exc_info=True)
else:
LOGGER.info("Successfully wrote stats to {}".format(output_file))
def _find_roles_with_permissions(permissions, dynamo_table, output_file):
"""
Search roles in all accounts for a policy with any of the provided permissions, log the ARN of each role.
Args:
permissions (list[string]): The name of the permissions to find
output_file (string): filename to write the output
Returns:
None
"""
arns = list()
for roleID in role_ids_for_all_accounts(dynamo_table):
role = Role.parse_obj(
get_role_data(dynamo_table,
roleID,
fields=["Policies", "RoleName", "Arn", "Active"]))
role_permissions, _ = roledata.get_role_permissions(role)
permissions = set([p.lower() for p in permissions])
found_permissions = permissions.intersection(role_permissions)
if found_permissions and role.active:
arns.append(role.arn)
LOGGER.info("ARN {arn} has {permissions}".format(
arn=role.arn, permissions=list(found_permissions)))
if not output_file:
return
with open(output_file, "w") as fd:
json.dump(arns, fd)
LOGGER.info('Ouput written to file "{output_file}"'.format(
output_file=output_file))
def _find_roles_with_permissions(permissions: List[str],
output_file: str) -> None:
"""
Search roles in all accounts for a policy with any of the provided permissions, log the ARN of each role.
Args:
permissions (list[string]): The name of the permissions to find
output_file (string): filename to write the output
Returns:
None
"""
arns: List[str] = list()
role_ids = role_ids_for_all_accounts()
roles = RoleList.from_ids(role_ids,
fields=["Policies", "RoleName", "Arn", "Active"])
for role in roles:
role_permissions, _ = role.get_permissions_for_policy_version()
permissions_set = set([p.lower() for p in permissions])
found_permissions = permissions_set.intersection(role_permissions)
if found_permissions and role.active:
arns.append(role.arn)
LOGGER.info("ARN {arn} has {permissions}".format(
arn=role.arn, permissions=list(found_permissions)))
if not output_file:
return
with open(output_file, "w") as fd:
json.dump(arns, fd)
LOGGER.info(f"Output written to file {output_file}")
def _repo_stats(output_file, dynamo_table, account_number=None):
"""
Create a csv file with stats about roles, total permissions, and applicable filters over time
Args:
output_file (string): the name of the csv file to write
account_number (string): if specified only display roles from selected account, otherwise display all
Returns:
None
"""
roleIDs = (role_ids_for_account(dynamo_table, account_number)
if account_number else role_ids_for_all_accounts(dynamo_table))
headers = [
"RoleId",
"Role Name",
"Account",
"Active",
"Date",
"Source",
"Permissions Count",
"Repoable Permissions Count",
"Disqualified By",
]
rows = []
for roleID in roleIDs:
role_data = get_role_data(
dynamo_table,
roleID,
fields=["RoleId", "RoleName", "Account", "Active", "Stats"],
)
for stats_entry in role_data.get("Stats", []):
rows.append([
role_data["RoleId"],
role_data["RoleName"],
role_data["Account"],
role_data["Active"],
stats_entry["Date"],
stats_entry["Source"],
stats_entry["PermissionsCount"],
stats_entry.get("RepoablePermissionsCount"),
stats_entry.get("DisqualifiedBy", []),
])
try:
with open(output_file, "w") as csvfile:
csv_writer = csv.writer(csvfile)
csv_writer.writerow(headers)
for row in rows:
csv_writer.writerow(row)
except IOError as e:
LOGGER.error("Unable to write file {}: {}".format(output_file, e),
exc_info=True)
else:
LOGGER.info("Successfully wrote stats to {}".format(output_file))
def find_roles_with_permission(permission, dynamo_table):
"""
Search roles in all accounts for a policy with a given permission, log the ARN of each role with this permission
Args:
permission (string): The name of the permission to find
Returns:
None
"""
for roleID in role_ids_for_all_accounts(dynamo_table):
role = Role(get_role_data(dynamo_table, roleID, fields=['Policies', 'RoleName', 'Arn', 'Active']))
permissions = roledata._get_role_permissions(role)
if permission.lower() in permissions and role.active:
LOGGER.info('ARN {arn} has {permission}'.format(arn=role.arn, permission=permission))
