def test_with_valid_role_inline_policy(valid_role_inline_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(valid_role_inline_policy)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_rule_supports_filter_config(invalid_role_managed_policy,
default_allow_all_config):
rule = IAMRolesOverprivilegedRule(default_allow_all_config)
result = rule.invoke(invalid_role_managed_policy)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_with_valid_role_managed_policy(valid_role_managed_policy):
result = Result()
rule = IAMRolesOverprivilegedRule(None, result)
rule.invoke(valid_role_managed_policy)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_inline_policy)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'"
)
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_managed_policy)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess"
)
def test_with_invalid_role_inline_policy_fn_if(
invalid_role_inline_policy_fn_if):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_inline_policy_fn_if)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "IAMRolesOverprivilegedRule"
assert (
result.failed_rules[0].reason ==
"Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'"
)
def test_with_invalid_role_inline_policy(invalid_role_inline_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_inline_policy)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"Role 'RootRole' contains an insecure permission 'ec2:DeleteInternetGateway' in policy 'not_so_chill_policy'",
risk_value=RuleRisk.MEDIUM,
rule="IAMRolesOverprivilegedRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRole"},
)
],
)
def test_with_invalid_role_managed_policy(invalid_role_managed_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_managed_policy)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"Role RootRole has forbidden Managed Policy arn:aws:iam::aws:policy/AdministratorAccess",
risk_value=RuleRisk.MEDIUM,
rule="IAMRolesOverprivilegedRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRole"},
)
],
)
def test_with_invalid_role_inline_policy_fn_if(invalid_role_inline_policy_fn_if):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(invalid_role_inline_policy_fn_if)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason="Role 'RootRole' contains an insecure permission 'ec2:DeleteVpc' in policy 'ProdCredentialStoreAccessPolicy'",
risk_value=RuleRisk.MEDIUM,
rule="IAMRolesOverprivilegedRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRole"},
resource_types={"AWS::IAM::Role"},
)
],
)
def test_with_valid_role_inline_policy(valid_role_inline_policy):
rule = IAMRolesOverprivilegedRule(None)
result = rule.invoke(valid_role_inline_policy)
assert result.valid
assert compare_lists_of_failures(result.failures, [])