def test_get_actions_by_access_level(self):
actions_list = [
"ecr:BatchGetImage", # Read
"ecr:CreateRepository", # Write
"ecr:DescribeRepositories", # List
"ecr:TagResource", # Tagging
"ecr:SetRepositoryPolicy", # Permissions management
]
print("Read")
# Read
self.assertListEqual(
get_actions_by_access_level(db_session, actions_list, "read"),
["ecr:batchgetimage"])
# Write
self.assertListEqual(
get_actions_by_access_level(db_session, actions_list, "write"),
["ecr:createrepository"])
# List
self.assertListEqual(
get_actions_by_access_level(db_session, actions_list, "list"),
["ecr:describerepositories"])
# Tagging
self.assertListEqual(
get_actions_by_access_level(db_session, actions_list, "tagging"),
["ecr:tagresource"])
# Permissions management
self.assertListEqual(
get_actions_by_access_level(db_session, actions_list,
"permissions-management"),
["ecr:setrepositorypolicy"])
def analyze_iam_policy(audit_file, print_policy, file, show):
"""
Analyze IAM Actions given a JSON policy file
"""
db_session = connect_db(database_file_path)
if os.path.exists(file):
print("Evaluating: " + file)
else:
print("File does not exist or is formatted incorrectly: " + file +
"\nPlease provide a valid path.")
requested_actions = read_json_policy_file(file)
expanded_actions = determine_actions_to_expand(requested_actions)
if show:
levels = get_actions_by_access_level(db_session, expanded_actions,
show)
print("Access level: " + show)
pp = pprint.PrettyPrinter(indent=4)
pp.pprint(levels)
else:
print("These are the expanded actions")
print(expanded_actions)
determine_risky_actions(expanded_actions, audit_file)
if print_policy:
write_policy_with_actions(expanded_actions, db_session)
def analyze_by_access_level(policy_json, db_session, access_level):
"""
Determine if a policy has any actions with a given access level. This is particularly useful when determining who
has 'Permissions management' level access
"""
requested_actions = get_actions_from_policy(policy_json)
expanded_actions = determine_actions_to_expand(requested_actions)
actions_by_level = get_actions_by_access_level(
db_session, expanded_actions, access_level)
# if not actions_by_level:
# pass
# else:
# policy_path_elements = policy_file.split('/')
# # policy_name = policy_path_elements[-1]
# # print("\nPolicy: " + policy_name)
# # pp = pprint.PrettyPrinter(indent=4)
# # pp.pprint(levels)
return actions_by_level
def analyze(policy_file, db_session, from_access_level, from_audit_file):
requested_actions = get_actions_from_json_policy_file(policy_file)
expanded_actions = determine_actions_to_expand(requested_actions)
if from_access_level:
levels = get_actions_by_access_level(db_session, expanded_actions, from_access_level)
if not levels:
pass
else:
policy_path_elements = policy_file.split('/')
policy_name = policy_path_elements[-1]
print("\nPolicy: " + policy_name)
pp = pprint.PrettyPrinter(indent=4)
pp.pprint(levels)
else:
print("These are the expanded actions")
print(expanded_actions)
determine_risky_actions(expanded_actions, from_audit_file)
