def test_get_actions_by_access_level(self): actions_list = [ "ecr:BatchGetImage", # Read "ecr:CreateRepository", # Write "ecr:DescribeRepositories", # List "ecr:TagResource", # Tagging "ecr:SetRepositoryPolicy", # Permissions management ] print("Read") # Read self.assertListEqual( get_actions_by_access_level(db_session, actions_list, "read"), ["ecr:batchgetimage"]) # Write self.assertListEqual( get_actions_by_access_level(db_session, actions_list, "write"), ["ecr:createrepository"]) # List self.assertListEqual( get_actions_by_access_level(db_session, actions_list, "list"), ["ecr:describerepositories"]) # Tagging self.assertListEqual( get_actions_by_access_level(db_session, actions_list, "tagging"), ["ecr:tagresource"]) # Permissions management self.assertListEqual( get_actions_by_access_level(db_session, actions_list, "permissions-management"), ["ecr:setrepositorypolicy"])
def analyze_iam_policy(audit_file, print_policy, file, show): """ Analyze IAM Actions given a JSON policy file """ db_session = connect_db(database_file_path) if os.path.exists(file): print("Evaluating: " + file) else: print("File does not exist or is formatted incorrectly: " + file + "\nPlease provide a valid path.") requested_actions = read_json_policy_file(file) expanded_actions = determine_actions_to_expand(requested_actions) if show: levels = get_actions_by_access_level(db_session, expanded_actions, show) print("Access level: " + show) pp = pprint.PrettyPrinter(indent=4) pp.pprint(levels) else: print("These are the expanded actions") print(expanded_actions) determine_risky_actions(expanded_actions, audit_file) if print_policy: write_policy_with_actions(expanded_actions, db_session)
def analyze_by_access_level(policy_json, db_session, access_level): """ Determine if a policy has any actions with a given access level. This is particularly useful when determining who has 'Permissions management' level access """ requested_actions = get_actions_from_policy(policy_json) expanded_actions = determine_actions_to_expand(requested_actions) actions_by_level = get_actions_by_access_level( db_session, expanded_actions, access_level) # if not actions_by_level: # pass # else: # policy_path_elements = policy_file.split('/') # # policy_name = policy_path_elements[-1] # # print("\nPolicy: " + policy_name) # # pp = pprint.PrettyPrinter(indent=4) # # pp.pprint(levels) return actions_by_level
def analyze(policy_file, db_session, from_access_level, from_audit_file): requested_actions = get_actions_from_json_policy_file(policy_file) expanded_actions = determine_actions_to_expand(requested_actions) if from_access_level: levels = get_actions_by_access_level(db_session, expanded_actions, from_access_level) if not levels: pass else: policy_path_elements = policy_file.split('/') policy_name = policy_path_elements[-1] print("\nPolicy: " + policy_name) pp = pprint.PrettyPrinter(indent=4) pp.pprint(levels) else: print("These are the expanded actions") print(expanded_actions) determine_risky_actions(expanded_actions, from_audit_file)