def test_with_invalid_role_managed_policy():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path":
"/",
"ManagedPolicyArns":
["arn:aws:iam::aws:policy/AdministratorAccess"]
},
}
},
}
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
resources = pycfmodel.parse(role_props).resources
rule.invoke(resources, [])
assert not result.valid
assert (
result.failed_rules[0]["reason"] ==
"Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
)
assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
def test_with_invalid_role_inline_policy_fn_if():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path":
"/",
"Policies": [{
"Fn::If": [
"IsSandbox",
{
"PolicyDocument": {
"Statement": [{
"Action":
"sts:AssumeRole",
"Effect":
"Allow",
"Resource":
"arn:aws:iam::325714046698:role/sandbox-secrets-access",
}],
"Version":
"2012-10-17",
},
"PolicyName": "SandboxSecretsAccessAssumerole",
},
{
"PolicyDocument": {
"Statement": [{
"Action": ["ec2:DeleteVpc"],
"Effect": "Allow",
"Resource": ["*"]
}],
"Version":
"2012-10-17",
},
"PolicyName":
"ProdCredentialStoreAccessPolicy",
},
]
}],
},
}
},
}
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.check_managed_policies = Mock()
resources = pycfmodel.parse(role_props).resources
rule.invoke(resources, [])
rule.check_managed_policies.assert_called()
assert not result.valid
assert (
result.failed_rules[0]["reason"] ==
'Role "RootRole" contains an insecure permission "ec2:DeleteVpc" in policy "ProdCredentialStoreAccessPolicy"'
)
assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
def test_with_valid_role_inline_policy(valid_role_inline_policy):
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.invoke(valid_role_inline_policy)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_with_invalid_role_inline_policy_fn_if():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path":
"/",
"Policies": [{
'Fn::If': [
'IsSandbox', {
'PolicyDocument': {
'Statement': [{
'Action':
'sts:AssumeRole',
'Effect':
'Allow',
'Resource':
'arn:aws:iam::325714046698:role/sandbox-secrets-access'
}],
'Version':
'2012-10-17'
},
'PolicyName': 'SandboxSecretsAccessAssumerole'
}, {
'PolicyDocument': {
'Statement': [{
'Action': ['ec2:DeleteVpc'],
'Effect': 'Allow',
'Resource': ["*"]
}],
'Version':
'2012-10-17'
},
'PolicyName': 'ProdCredentialStoreAccessPolicy'
}
]
}]
}
}
}
}
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.check_managed_policies = Mock()
resources = pycfmodel.parse(role_props).resources
rule.invoke(resources)
rule.check_managed_policies.assert_called()
assert not result.valid
assert result.failed_rules[0][
'reason'] == 'Role "RootRole" contains an insecure permission "ec2:DeleteVpc" in policy "ProdCredentialStoreAccessPolicy"'
assert result.failed_rules[0]['rule'] == 'IAMRolesOverprivilegedRule'
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.invoke(invalid_role_inline_policy)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'"
)
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.invoke(invalid_role_managed_policy)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
)
def test_with_invalid_role_inline_policy_fn_if(
invalid_role_inline_policy_fn_if):
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.invoke(invalid_role_inline_policy_fn_if)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'"
)
def test_with_invalid_role_inline_policy():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path":
"/",
"Policies": [{
"PolicyName": "not_so_chill_policy",
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": ["ec2:DeleteInternetGateway"],
"Resource":
"*"
}],
},
}],
},
}
},
}
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.check_managed_policies = Mock()
resources = pycfmodel.parse(role_props).resources
rule.invoke(resources, [])
rule.check_managed_policies.assert_called()
assert not result.valid
assert (
result.failed_rules[0]["reason"] ==
'Role "RootRole" contains an insecure permission "ec2:DeleteInternetGateway" in policy "not_so_chill_policy"'
)
assert result.failed_rules[0]["rule"] == "IAMRolesOverprivilegedRule"
def test_with_valid_role_inline_policy():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path":
"/",
"Policies": [{
"PolicyName": "chill_policy",
"PolicyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
],
"Resource": "*"
}]
}
}]
}
}
}
}
resource = pycfmodel.parse(role_props).resources
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.check_managed_policies = Mock()
rule.invoke(resource)
rule.check_managed_policies.assert_called()
assert result.valid
assert len(result.failed_rules) == 0
def test_with_valid_role_managed_policy():
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path": "/",
"ManagedPolicyArns":
["arn:aws:iam::aws:policy/YadaYadaYada"]
},
}
},
}
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.check_inline_policies = Mock()
resources = pycfmodel.parse(role_props).resources
rule.invoke(resources, [])
rule.check_inline_policies.assert_called()
assert result.valid
assert len(result.failed_rules) == 0
