def test_with_valid_role_inline_policy(valid_role_inline_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(valid_role_inline_policy)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
示例#2
0
def test_rule_supports_filter_config(invalid_role_managed_policy,
                                     default_allow_all_config):
    rule = IAMRolesOverprivilegedRule(default_allow_all_config)
    result = rule.invoke(invalid_role_managed_policy)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
def test_with_valid_role_managed_policy(valid_role_managed_policy):
    result = Result()
    rule = IAMRolesOverprivilegedRule(None, result)
    rule.invoke(valid_role_managed_policy)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_inline_policy)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'"
    )
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_managed_policy)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
    )
def test_with_invalid_role_inline_policy_fn_if(
        invalid_role_inline_policy_fn_if):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_inline_policy_fn_if)

    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
    assert (
        result.failed_rules[0].reason ==
        "Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'"
    )
示例#7
0
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_inline_policy)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'",
                risk_value=RuleRisk.MEDIUM,
                rule="IAMRolesOverprivilegedRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRole"},
            )
        ],
    )
示例#8
0
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_managed_policy)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess",
                risk_value=RuleRisk.MEDIUM,
                rule="IAMRolesOverprivilegedRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRole"},
            )
        ],
    )
示例#9
0
def test_with_invalid_role_inline_policy_fn_if(invalid_role_inline_policy_fn_if):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(invalid_role_inline_policy_fn_if)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason="Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'",
                risk_value=RuleRisk.MEDIUM,
                rule="IAMRolesOverprivilegedRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRole"},
                resource_types={"AWS::IAM::Role"},
            )
        ],
    )
示例#10
0
def test_with_valid_role_inline_policy(valid_role_inline_policy):
    rule = IAMRolesOverprivilegedRule(None)
    result = rule.invoke(valid_role_inline_policy)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])