def test_managed_policy_security_group_permissions(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_SG_MUTATION)
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_security_group_permissions(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Sensitive Permissions')
self.assertEquals(
iamobj.audit_issues[0].notes,
'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]'
)
def test_managed_policy_iam_passrole(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_PASSROLE)
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_iam_passrole(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Sensitive Permissions')
self.assertEquals(
iamobj.audit_issues[0].notes,
'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_managed_policy_iam_notresource(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_NOTRESOURCE)
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_notresource(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue,
'Awkward Statement Construction')
self.assertEquals(iamobj.audit_issues[0].notes,
'Construct: ["NotResource"]')
def test_issue_on_aws_policy_with_attachment(self):
import json
config = {
'policy': json.loads(FULL_ADMIN_POLICY_BARE),
'arn': 'arn:aws:iam::aws:policy/TEST',
'attached_users': [],
'attached_roles': ['arn:aws:iam::123456789:role/TEST'],
'attached_groups': []
}
auditor = ManagedPolicyAuditor(accounts=['unittest'])
policyobj = ManagedPolicyItem(account="TEST_ACCOUNT",
name="policy_test",
config=config)
self.assertIs(
len(policyobj.audit_issues), 0,
"Managed Policy should have 0 alert but has {}".format(
len(policyobj.audit_issues)))
auditor.check_star_privileges(policyobj)
self.assertIs(
len(policyobj.audit_issues), 1,
"Managed Policy should have 1 alert but has {}".format(
len(policyobj.audit_issues)))
def test_managed_policy_security_group_permissions(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_SG_MUTATION)}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_security_group_permissions(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress"] Resources: ["someresource"]')
def test_managed_policy_iam_notresource(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_NOTRESOURCE)}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_notresource(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Awkward Statement Construction')
self.assertEquals(iamobj.audit_issues[0].notes, 'Construct: ["NotResource"]')
def test_managed_policy_iam_passrole(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_PASSROLE)}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_iam_passrole(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Sensitive Permissions')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:passrole"] Resources: ["someresource"]')
def test_managed_policy_iam_admin_only(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_ADMIN)}
self.assertIs(len(iamobj.audit_issues), 0, "Policy should have 0 alert but has {}".format(len(iamobj.audit_issues)))
auditor.check_iam_star_privileges(iamobj)
self.assertIs(len(iamobj.audit_issues), 1, "Policy should have 1 alert but has {}".format(len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access')
self.assertEquals(iamobj.audit_issues[0].notes, 'Actions: ["iam:*"] Resources: ["someresource"]')
def test_issue_on_aws_policy_with_attachment(self):
import json
config = {
'policy': json.loads(FULL_ADMIN_POLICY_BARE),
'arn': 'arn:aws:iam::aws:policy/TEST',
'attached_users': [],
'attached_roles': ['arn:aws:iam::123456789:role/TEST'],
'attached_groups': []
}
auditor = ManagedPolicyAuditor(accounts=['unittest'])
policyobj = ManagedPolicyItem(account="TEST_ACCOUNT", name="policy_test", config=config)
self.assertIs(len(policyobj.audit_issues), 0,
"Managed Policy should have 0 alert but has {}".format(len(policyobj.audit_issues)))
auditor.check_star_privileges(policyobj)
self.assertIs(len(policyobj.audit_issues), 1,
"Managed Policy should have 1 alert but has {}".format(len(policyobj.audit_issues)))
def test_managed_policy_iam_admin_only(self):
import json
from security_monkey.auditors.iam.managed_policy import ManagedPolicyAuditor
auditor = ManagedPolicyAuditor(accounts=['unittest'])
iamobj = MockIAMObj()
iamobj.config = {
'arn': 'arn:iam::aws:policy/',
'policy': json.loads(IAM_ADMIN)
}
self.assertIs(
len(iamobj.audit_issues), 0,
"Policy should have 0 alert but has {}".format(
len(iamobj.audit_issues)))
auditor.check_iam_star_privileges(iamobj)
self.assertIs(
len(iamobj.audit_issues), 1,
"Policy should have 1 alert but has {}".format(
len(iamobj.audit_issues)))
self.assertEquals(iamobj.audit_issues[0].issue, 'Administrator Access')
self.assertEquals(iamobj.audit_issues[0].notes,
'Actions: ["iam:*"] Resources: ["someresource"]')
