def initialize(access_level_overrides_file, fetch, build):
"""
Initialize the local data file to store AWS IAM information, which can be used to generate IAM policies, and for
querying the database.
"""
if not access_level_overrides_file:
overrides_file = LOCAL_ACCESS_OVERRIDES_FILE
else:
overrides_file = access_level_overrides_file
# Create the config directory
database_path = create_policy_sentry_config_directory()
# Copy over the html docs, which will be used to build the database
create_html_docs_directory()
# Create overrides file, which allows us to override the Access Levels
# provided by AWS documentation
file_list = [
f for f in os.listdir(BUNDLED_DATA_DIRECTORY)
if os.path.isfile(os.path.join(BUNDLED_DATA_DIRECTORY, f))
]
for file in file_list:
if file.endswith(".yml"):
shutil.copy(os.path.join(BUNDLED_DATA_DIRECTORY, file),
CONFIG_DIRECTORY)
logger.debug("copying overrides file %s to %s", file,
CONFIG_DIRECTORY)
print("Database will be stored here: " + database_path)
if not build and not fetch:
# copy from the bundled database location to the destination path
shutil.copy(BUNDLED_DATASTORE_FILE_PATH, database_path)
# --fetch: wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
# if --build and --fetch are both supplied, just do --fetch
if fetch:
# `wget` the html docs to the local directory
update_html_docs_directory(LOCAL_HTML_DIRECTORY_PATH)
create_database(CONFIG_DIRECTORY, overrides_file)
# initialize --build
if build or access_level_overrides_file or fetch:
create_database(CONFIG_DIRECTORY, overrides_file)
print("Created the database!")
# Query the database for all the services that are now in the database.
all_aws_service_prefixes = get_all_service_prefixes()
total_count_of_services = str(len(all_aws_service_prefixes))
print("Initialization complete!")
print(f"Total AWS services in the IAM database: {total_count_of_services}")
logger.debug("\nService prefixes:")
logger.debug(", ".join(all_aws_service_prefixes))
def initialize(access_level_overrides_file, fetch):
"""
Create a local database to store AWS IAM information, which can be used to generate IAM policies and analyze them
for least privilege.
"""
# Create the config directory
database_path = create_policy_sentry_config_directory()
# Copy over the html docs, which will be used to build the database
create_html_docs_directory()
# Create the directory to download IAM policies to
create_policy_analysis_directory()
# Create audit directory to host list of permissions for analyze_iam_policy
create_audit_directory()
# Create overrides file, which allows us to override the Access Levels
# provided by AWS documentation
create_default_overrides_file()
# Create the default reporting configuration file. This is used by
# analyze_iam_policy
create_default_report_config_file()
# If the user specifies fetch, wget the AWS IAM Actions, Resources and Condition Keys pages and store them locally.
if fetch:
# `wget` the html docs to the local directory
update_html_docs_directory(HTML_DIRECTORY_PATH)
# Update the links.yml file
prefix_list = create_service_links_mapping_file(
HTML_DIRECTORY_PATH, LINKS_YML_FILE_LOCAL)
print(f"Services: {prefix_list}")
# Connect to the database at that path with SQLAlchemy
db_session = connect_db(database_path)
all_aws_services = get_list_of_service_prefixes_from_links_file(
LINKS_YML_FILE_LOCAL)
print(f"Services to build for: ${LINKS_YML_FILE_LOCAL}")
# Fill in the database with data on the AWS services
create_database(db_session, all_aws_services, access_level_overrides_file)
print("Created tables for all services!")
all_aws_services = get_all_services_from_action_table(db_session)
total_count_of_services = str(len(all_aws_services))
print(
f"{total_count_of_services} AWS services in the database: {all_aws_services}"
)
import os
from pathlib import Path
sys.path.append(str(Path(os.path.dirname(__file__)).parent))
from policy_sentry.shared.awsdocs import create_database, update_html_docs_directory
from policy_sentry.shared.constants import (
BUNDLED_ACCESS_OVERRIDES_FILE,
BUNDLED_DATA_DIRECTORY,
# BUNDLED_DATASTORE_FILE_PATH,
BUNDLED_HTML_DIRECTORY_PATH)
BASE_DIR = str(
os.path.abspath(os.path.join(os.path.dirname(__file__), os.path.pardir)))
if __name__ == '__main__':
print(
"Downloading the latest AWS documentation from the Actions, Resources, and Condition Keys page"
)
update_html_docs_directory(BUNDLED_HTML_DIRECTORY_PATH)
# Can't use the version of the same variable from the policy_sentry/shares/constants.py
# file because of some syspath nonsense.
BUNDLED_DATASTORE_FILE_PATH = os.path.join(
str(Path(os.path.dirname(__file__))), "policy_sentry", "shared",
"data", "iam-definition.json")
if os.path.exists(BUNDLED_DATASTORE_FILE_PATH):
print("Datastore exists. Deleting then rebuilding...")
os.remove(BUNDLED_DATASTORE_FILE_PATH)
print("Building the IAM database")
create_database(BUNDLED_DATA_DIRECTORY, BUNDLED_ACCESS_OVERRIDES_FILE)
# print("Exporting the IAM database to CSV")
# write_iam_database_to_csv()
