def test_missing_access_levels(self): """ test_missing_access_levels: write-policy --crud command when YAML File is missing access levels :return: """ cfg_with_missing_access_levels = { "roles_with_crud_levels": [{ "name": "RoleNameWithCRUD", "description": "Why I need these privs", "arn": "arn:aws:iam::559410426617:role/RiskyEC2", "list": [ "arn:aws:s3:::example-org-flow-logs", "arn:aws:s3:::example-org-sbx-vmimport/stuff" ], "tag": ["arn:aws:ssm:us-east-1:123456789012:parameter/test"], "permissions-management": ["arn:aws:s3:::example-org-s3-access-logs"] }] } with self.assertRaises(SystemExit): arn_action_group = ArnActionGroup() arn_dict = arn_action_group.process_resource_specific_acls( cfg_with_missing_access_levels, db_session)
def test_wildcard_when_not_necessary(self): """test_wildcard_when_not_necessary: Attempts bypass of CRUD mode wildcard-only""" cfg = { 'roles_with_crud_levels': [{ 'name': 'RoleNameWithCRUD', 'description': 'Why I need these privs', 'arn': 'arn:aws:iam::123456789012:role/RiskyEC2', 'permissions-management': ['arn:aws:s3:::example-org-s3-access-logs'], 'wildcard': [ # The first three are legitimately wildcard only. # Verify with `policy_sentry query action-table --service secretsmanager --wildcard-only` 'ram:enablesharingwithawsorganization', 'ram:getresourcepolicies', 'secretsmanager:createsecret', # This last one can be "secret" ARN type OR wildcard. We want to prevent people from # bypassing this mechanism, while allowing them to explicitly # request specific privs that require wildcard mode. This next value - # secretsmanager:putsecretvalue - is an example of someone trying to beat the tool. 'secretsmanager:putsecretvalue' ] }] } arn_action_group = ArnActionGroup() arn_dict = arn_action_group.process_resource_specific_acls( cfg, db_session) output = print_policy(arn_dict, db_session, None) print(json.dumps(output, indent=4)) desired_output = { "Version": "2012-10-17", "Statement": [{ "Sid": "MultMultNone", "Effect": "Allow", "Action": [ "ram:enablesharingwithawsorganization", "ram:getresourcepolicies", "secretsmanager:createsecret" ], "Resource": ["*"] }, { "Sid": "S3PermissionsmanagementBucket", "Effect": "Allow", "Action": [ "s3:deletebucketpolicy", "s3:putbucketacl", "s3:putbucketpolicy", "s3:putbucketpublicaccessblock" ], "Resource": ["arn:aws:s3:::example-org-s3-access-logs"] }] } self.maxDiff = None self.assertDictEqual(output, desired_output)
def write_policy_with_access_levels(cfg, db_session, minimize_statement=False): """ Writes an IAM policy given a dict containing Access Levels and ARNs. """ arn_action_group = ArnActionGroup() arn_dict = arn_action_group.process_resource_specific_acls(cfg, db_session) policy = print_policy(arn_dict, db_session, minimize_statement) return policy