def check_for_wildcards(self, result: Result, logical_id: str, resource: PolicyDocument):
for statement in resource._statement_as_list():
if statement.Effect == "Allow" and statement.principals_with(self.FULL_REGEX):
for principal in statement.get_principal_list():
# Check if account ID is allowed
account_id_match = self.IAM_PATTERN.match(principal)
if account_id_match:
self.validate_account_id(result, logical_id, account_id_match.group(1))
if statement.Condition and statement.Condition.dict():
logger.warning(
f"Not adding {type(self).__name__} failure in {logical_id} because there are conditions: "
f"{statement.Condition}"
)
elif not self.resource_is_whitelisted(logical_id):
self.add_failure_to_result(
result,
self.REASON_WILCARD_PRINCIPAL.format(logical_id, principal),
resource_ids={logical_id},
)
def check_for_wildcards(self,
result: Result,
logical_id: str,
resource: PolicyDocument,
extras: Optional[Dict] = None):
for statement in resource._statement_as_list():
if statement.Effect == "Allow" and statement.principals_with(
self.FULL_REGEX):
for principal in statement.get_principal_list():
account_id_match = self.IAM_PATTERN.match(principal)
account_id = account_id_match.group(
1) if account_id_match else None
# Check if account ID is allowed. `self._get_allowed_from_config()` used here
# to reduce number of false negatives and only allow exemptions for accounts
# which belong to AWS Services (such as ELB and ElastiCache).
if account_id in self._get_allowed_from_config():
continue
if statement.Condition and statement.Condition.dict():
logger.warning(
f"Not adding {type(self).__name__} failure in {logical_id} because there are conditions: "
f"{statement.Condition}")
else:
self.add_failure_to_result(
result,
self.REASON_WILCARD_PRINCIPAL.format(
logical_id, principal),
resource_ids={logical_id},
context={
"config": self._config,
"extras": extras,
"logical_id": logical_id,
"resource": resource,
"statement": statement,
"principal": principal,
"account_id": account_id,
},
)
