def test_analyze_by_access_level(self): """test_analyze_by_access_level: Test out calling this as a library""" permissions_management_policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ # This one is Permissions management "ecr:SetRepositoryPolicy", "secretsmanager:DeleteResourcePolicy", # These ones are not permissions management "ecr:getrepositorypolicy", "ecr:describerepositories", "ecr:listimages", "ecr:DescribeImages", ], "Resource": "*", }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ # These ones are permissions management "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:UpdateAccessKey", # This one is not "iam:ListAccessKeys", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, ], } permissions_management_actions = analyze_by_access_level( db_session, permissions_management_policy, "permissions-management") # print(permissions_management_actions) desired_actions_list = [ "ecr:SetRepositoryPolicy", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:UpdateAccessKey", "secretsmanager:DeleteResourcePolicy", ] self.maxDiff = None self.assertListEqual(permissions_management_actions, desired_actions_list)
def has_write_access(policy): """ Given a policy as a dictionary, determine if the policy grants Permissions management access. If so, return a list of IAM Actions that grant Permissions management access level. If not, return false. """ permissions_management_actions = analyze_by_access_level( policy, db_session, "permissions-management") if len(permissions_management_actions) > 0: return permissions_management_actions else: return []
def test_gh_162(self): """test_gh_162: Addressing the concern in the Github issue https://github.com/salesforce/policy_sentry/issues/162""" permissions_management_policy = { "Statement": [{ "Action": ["s3:GetObject*", "s3:PutObject*"], "Effect": "Allow", "Resource": ["*"] }], "Version": "2012-10-17" } print('********* READ ***********') results = analyze_by_access_level(permissions_management_policy, "Read") print(json.dumps(results, indent=4)) # Rather than maintaining a large list as AWS keeps adding new actions, # just verify that an expanded action exists in the list self.assertTrue("s3:GetObjectAcl" in results) print('********* LIST ***********') results = analyze_by_access_level(permissions_management_policy, "List") print(json.dumps(results, indent=4)) self.assertListEqual(results, []) print('********* WRITE ***********') results = analyze_by_access_level(permissions_management_policy, "Write") print(json.dumps(results, indent=4)) self.assertTrue("s3:PutObjectLegalHold" in results) print('********* TAGGING ***********') results = analyze_by_access_level(permissions_management_policy, "Tagging") print(json.dumps(results, indent=4)) self.assertTrue("s3:PutObjectTagging" in results) print('********* PERMISSIONS-MANAGEMENT ***********') results = analyze_by_access_level(permissions_management_policy, "Permissions management") print(json.dumps(results, indent=4)) self.assertTrue("s3:PutObjectAcl" in results)
"Statement": [{ "Effect": "Allow", "Action": [ # These ones are Permissions management "ecr:SetRepositoryPolicy", "secretsmanager:DeleteResourcePolicy", "iam:UpdateAccessKey", # These ones are not permissions management "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", ], "Resource": "*" }] } permissions_management_actions = analyze_by_access_level( permissions_management_policy, "Permissions management") print(json.dumps(permissions_management_actions, indent=4)) """ Output: [ 'ecr:setrepositorypolicy', 'iam:updateaccesskey', 'secretsmanager:deleteresourcepolicy' ] """
"Statement": [{ "Effect": "Allow", "Action": [ # These ones are Permissions management "ecr:SetRepositoryPolicy", "secretsmanager:DeleteResourcePolicy", "iam:UpdateAccessKey", # These ones are not permissions management "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", ], "Resource": "*" }] } permissions_management_actions = analyze_by_access_level( db_session, permissions_management_policy, "permissions-management") print(json.dumps(permissions_management_actions, indent=4)) """ Output: [ 'ecr:setrepositorypolicy', 'iam:updateaccesskey', 'secretsmanager:deleteresourcepolicy' ] """