def scan_account_authorization_details( account_authorization_details_cfg, exclusions, account_name="default", output_directory=os.getcwd(), write_data_files=False, minimize=False, ): # pragma: no cover """ Given the path to account authorization details files and the exclusions config file, scan all inline and managed policies in the account to identify actions that do not leverage resource constraints. """ logger.debug("Identifying modify-only actions that are not leveraging " "resource constraints...") check_authorization_details_schema(account_authorization_details_cfg) authorization_details = AuthorizationDetails( account_authorization_details_cfg, exclusions) results = authorization_details.results # Lazy method to get an account ID account_id = None for role in results.get("roles"): if "arn:aws:iam::aws:" not in results["roles"][role]["arn"]: account_id = get_account_from_arn(results["roles"][role]["arn"]) break html_report = HTMLReport( account_id=account_id, account_name=account_name, results=results, minimize=minimize, ) rendered_report = html_report.get_html_report() # Raw data file if write_data_files: if output_directory is None: output_directory = os.getcwd() results_data_file = os.path.join(output_directory, f"iam-results-{account_name}.json") results_data_filepath = write_results_data_file( authorization_details.results, results_data_file) print(f"Results data saved: {str(results_data_filepath)}") findings_data_file = os.path.join(output_directory, f"iam-findings-{account_name}.json") findings_data_filepath = write_results_data_file( results, findings_data_file) print(f"Findings data file saved: {str(findings_data_filepath)}") return rendered_report
def generate_example_iam_data(): check_authorization_details_schema(account_authorization_details_cfg) authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.results print(f"Top-level keys of results dictionary: {results.keys()}") # Write the results if os.path.exists(results_file): os.remove(results_file) with open(results_file, "w") as file: json.dump(results, file, indent=4) print(f"Wrote new example IAM data file to: {results_file}") # print(json.dumps(results, indent=4)) return results
def scan_account(target_account_id: str, target_role_name: str, exclusions: Exclusions, profile: str = None): """Scan a target account in one shot""" authorization_details = download_account_authorization_details( target_account_id=target_account_id, target_role_name=target_role_name, profile=profile) check_authorization_details_schema(authorization_details) authorization_details = AuthorizationDetails(authorization_details, exclusions) results = authorization_details.results return results
def test_check_authorization_details_schema(self): """test_scanning.validate.check_authorization_details_schema""" example_authz_details_file = os.path.abspath( os.path.join( os.path.dirname(__file__), os.path.pardir, "files", "example-authz-details.json", )) with open(example_authz_details_file, "r") as json_file: cfg = json.load(json_file) decision = check_authorization_details_schema(cfg) self.assertTrue(decision)
def get_authorization_files_in_directory( directory: str, ) -> List[str]: # pragma: no cover """Get a list of download-account-authorization-files in a directory""" file_list_with_full_path = [ file.absolute() for file in Path(directory).glob("*.json") ] new_file_list = [] for file in file_list_with_full_path: contents = file.read_text() account_authorization_details_cfg = json.loads(contents, default=str) valid_schema = check_authorization_details_schema( account_authorization_details_cfg) if valid_schema: new_file_list.append(str(file)) return new_file_list
def test_scan_authz_details_and_output_html_as_string(self): example_authz_details_file = os.path.abspath( os.path.join( os.path.dirname(__file__), os.path.pardir, "files", "example-authz-details.json", )) with open(example_authz_details_file, "r") as json_file: cfg = json.load(json_file) decision = check_authorization_details_schema(cfg) self.assertTrue(decision) rendered_html_report = scan_account_authorization_details( cfg, DEFAULT_EXCLUSIONS, account_name="Something", output_directory=os.getcwd(), write_data_files=False)
def get_authorization_files_in_directory(directory): # pragma: no cover """Get a list of download-account-authorization-files in a directory""" file_list = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory, f)) ] file_list_with_full_path = [] for file in file_list: if file.endswith(".json"): file_list_with_full_path.append( os.path.abspath(os.path.join(directory, file))) new_file_list = [] for file in file_list_with_full_path: with open(file) as f: contents = f.read() account_authorization_details_cfg = json.loads(contents) valid_schema = check_authorization_details_schema( account_authorization_details_cfg) if valid_schema: new_file_list.append(file) return new_file_list
def scan_account_authorization_details( account_authorization_details_cfg, exclusions, account_name="default", output_directory=os.getcwd(), write_data_files=False): # pragma: no cover """ Given the path to account authorization details files and the exclusions config file, scan all inline and managed policies in the account to identify actions that do not leverage resource constraints. """ logger.debug("Identifying modify-only actions that are not leveraging " "resource constraints...") check_authorization_details_schema(account_authorization_details_cfg) authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions, modify_only=True) principal_policy_mapping = authorization_details.principal_policy_mapping # For the IAM Principals tab, add on risk stats per principal for principal_policy_entry in principal_policy_mapping: for finding in results: if principal_policy_entry.get("PolicyName").lower() == finding.get( "PolicyName").lower(): principal_policy_entry["Actions"] = len(finding["Actions"]) principal_policy_entry["PrivilegeEscalation"] = len( finding["PrivilegeEscalation"]) principal_policy_entry["DataExfiltrationActions"] = len( finding["DataExfiltrationActions"]) principal_policy_entry["PermissionsManagementActions"] = len( finding["PermissionsManagementActions"]) principal_name = principal_policy_entry["Principal"] # Customer Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy" ) == "Customer" and principal_policy_entry.get( "Type") != "Policy": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) # AWS Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy") == "AWS": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) # Lazy method to get an account ID account_id = None for item in results: if item["ManagedBy"] == "Customer": account_id = item["AccountID"] break html_report = HTMLReport(account_id=account_id, account_name=account_name, results=results, exclusions_cfg=exclusions, principal_policy_mapping=principal_policy_mapping) rendered_report = html_report.get_html_report() # Raw data file if write_data_files: if output_directory is None: output_directory = os.getcwd() # new_data = authorization_details.new_principal_policy_mapping # new_raw_data_file = os.path.join(output_directory, f"iam-new-principal-policy-mapping-{account_name}.json") # new_raw_data_filepath = write_results_data_file(new_data, new_raw_data_file) # print(f"Raw data file saved: {str(new_raw_data_filepath)}") raw_data_file = os.path.join(output_directory, f"iam-results-{account_name}.json") raw_data_filepath = write_results_data_file(results, raw_data_file) print(f"Raw data file saved: {str(raw_data_filepath)}") # Principal policy mapping principal_policy_mapping_file = os.path.join( output_directory, f"iam-principals-{account_name}.json") principal_policy_mapping_filepath = write_results_data_file( principal_policy_mapping, principal_policy_mapping_file) print( f"Principals data file saved: {str(principal_policy_mapping_filepath)}" ) # Create the CSV triage sheet create_triage_worksheet(account_name, results, output_directory) return rendered_report
def scan_account_authorization_file(input_file, exclusions_cfg, output, all_access_levels, skip_open_report): """ Given the path to account authorization details files and the exclusions config file, scan all inline and managed policies in the account to identify actions that do not leverage resource constraints. """ with open(input_file) as f: contents = f.read() account_authorization_details_cfg = json.loads(contents) check_authorization_details_schema(account_authorization_details_cfg) # Scan authorization details. Defaults to modify-only permissions if all_access_levels: logger.debug( "--all-access-levels selected. Identifying all actions that are not leveraging resource " "constraints...") authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions_cfg, modify_only=False) else: logger.debug( "--all-access-levels NOT selected. Identifying modify-only actions that are not leveraging " "resource constraints...") authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions_cfg, modify_only=True) principal_policy_mapping = authorization_details.principal_policy_mapping account_name = Path(input_file).stem # Lazy method to get an account ID account_id = None for item in results: if item["ManagedBy"] == "Customer": account_id = item["AccountID"] break # HTML report output_directory = output # Account metadata account_metadata = { "account_name": account_name, "account_id": account_id, "customer_managed_policies": len(authorization_details.customer_managed_policies_in_use), "aws_managed_policies": len(authorization_details.aws_managed_policies_in_use), } # Raw data file raw_data_file = os.path.join(output, f"iam-results-{account_name}.json") raw_data_filepath = write_results_data_file(results, raw_data_file) print(f"Raw data file saved: {str(raw_data_filepath)}") # Principal policy mapping principal_policy_mapping_file = os.path.join( output, f"iam-principals-{account_name}.json") principal_policy_mapping_filepath = write_results_data_file( principal_policy_mapping, principal_policy_mapping_file) print( f"Principals data file saved: {str(principal_policy_mapping_filepath)}" ) print("Creating the HTML Report") generate_html_report( account_metadata, results, principal_policy_mapping, output_directory, exclusions_cfg, skip_open_report=skip_open_report, )
def test_output_html_output_as_string(self): example_authz_details_file = os.path.abspath( os.path.join( os.path.dirname(__file__), os.path.pardir, "files", "example-authz-details.json", )) with open(example_authz_details_file, "r") as json_file: cfg = json.load(json_file) decision = check_authorization_details_schema(cfg) self.assertTrue(decision) # TODO: These values are just for testing account_authorization_details_cfg = cfg exclusions = DEFAULT_EXCLUSIONS authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions, modify_only=True) principal_policy_mapping = authorization_details.principal_policy_mapping # For the IAM Principals tab, add on risk stats per principal for principal_policy_entry in principal_policy_mapping: for finding in results: if principal_policy_entry.get("PolicyName").lower( ) == finding.get("PolicyName").lower(): principal_policy_entry["Actions"] = len(finding["Actions"]) principal_policy_entry["PrivilegeEscalation"] = len( finding["PrivilegeEscalation"]) principal_policy_entry["DataExfiltrationActions"] = len( finding["DataExfiltrationActions"]) principal_policy_entry[ "PermissionsManagementActions"] = len( finding["PermissionsManagementActions"]) principal_name = principal_policy_entry["Principal"] # Customer Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy" ) == "Customer" and principal_policy_entry.get( "Type") != "Policy": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) # AWS Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy") == "AWS": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) # Lazy method to get an account ID account_id = None for item in results: if item["ManagedBy"] == "Customer": account_id = item["AccountID"] break html_report = HTMLReport( account_id=account_id, account_name="CHANGEME", results=results, exclusions_cfg=exclusions, principal_policy_mapping=principal_policy_mapping) rendered_report = html_report.get_html_report()
def scan_account_authorization_file(input_file, exclusions, output, all_access_levels, skip_open_report): # pragma: no cover """ Given the path to account authorization details files and the exclusions config file, scan all inline and managed policies in the account to identify actions that do not leverage resource constraints. """ with open(input_file) as f: contents = f.read() account_authorization_details_cfg = json.loads(contents) check_authorization_details_schema(account_authorization_details_cfg) # Scan authorization details. Defaults to modify-only permissions if all_access_levels: logger.debug( "--all-access-levels selected. Identifying all actions that are not leveraging resource " "constraints...") authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions, modify_only=False) else: logger.debug( "--all-access-levels NOT selected. Identifying modify-only actions that are not leveraging " "resource constraints...") authorization_details = AuthorizationDetails( account_authorization_details_cfg) results = authorization_details.missing_resource_constraints( exclusions, modify_only=True) principal_policy_mapping = authorization_details.principal_policy_mapping # For the IAM Principals tab, add on risk stats per principal for principal_policy_entry in principal_policy_mapping: for finding in results: if principal_policy_entry.get("PolicyName").lower() == finding.get( "PolicyName").lower(): principal_policy_entry["Actions"] = len(finding["Actions"]) principal_policy_entry["PrivilegeEscalation"] = len( finding["PrivilegeEscalation"]) principal_policy_entry["DataExfiltrationActions"] = len( finding["DataExfiltrationActions"]) principal_policy_entry["PermissionsManagementActions"] = len( finding["PermissionsManagementActions"]) principal_name = principal_policy_entry["Principal"] # Customer Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy" ) == "Customer" and principal_policy_entry.get( "Type") != "Policy": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) # AWS Managed Policies if finding.get("Type") == "Policy" and finding.get( "ManagedBy") == "AWS": if "Principals" not in finding: finding["Principals"] = [principal_name] else: if principal_name not in finding["Principals"]: finding["Principals"].append(principal_name) account_name = Path(input_file).stem # Lazy method to get an account ID account_id = None for item in results: if item["ManagedBy"] == "Customer": account_id = item["AccountID"] break # HTML report output_directory = output # Account metadata account_metadata = { "account_name": account_name, "account_id": account_id, "customer_managed_policies": len(authorization_details.customer_managed_policies_in_use), "aws_managed_policies": len(authorization_details.aws_managed_policies_in_use), } # Raw data file raw_data_file = os.path.join(output, f"iam-results-{account_name}.json") raw_data_filepath = write_results_data_file(results, raw_data_file) print(f"Raw data file saved: {str(raw_data_filepath)}") # Principal policy mapping principal_policy_mapping_file = os.path.join( output, f"iam-principals-{account_name}.json") principal_policy_mapping_filepath = write_results_data_file( principal_policy_mapping, principal_policy_mapping_file) print( f"Principals data file saved: {str(principal_policy_mapping_filepath)}" ) print("Creating the HTML Report") generate_html_report( account_metadata, results, principal_policy_mapping, output_directory, exclusions.config, skip_open_report=skip_open_report, )