帮助将aws策略修改为对象的包
awspolic的Python项目详细描述
一个小程序包,帮助将aws策略修改为一个对象
aws sdks提供了广泛的可用性,允许自动化和编码您的基础设施。但是,微填充策略不受良好控制,因为它们被视为一个完整的字符串块。
情景1。集中式帐户中有一个s3 bucket,它授予所有其他帐户对cloudtrail日志的写权限。在新帐户注册时,您需要修改bucket策略以插入另一个受信任主体。手动操作既丑陋又不安全。
情景2。在您的帐单帐户中,有一个iam角色,允许某些iam用户从登录帐户中使用。创建新的IAM用户并需要将其添加到受信任策略时,需要手动更新该策略。
自动化此过程的困难在于,您必须保持策略文档的完整性,并且只更改您想要的部分。这就是这个包裹能帮你的。
借用从html文档中选择元素的思想,您可以从提供sid的策略文档中选择特定语句。
开始:
此包仅提供可在自己的代码中使用的类。这取决于BOTO3,但不为您安装。
安装软件包:pip install awspolicy
示例:
谈话是廉价的,让代码。我有一个s3 bucket,它有以下策略控制来自iam用户的权限。目前,它只授予iam用户“bob”和“jack”从目录“admin_folder”获取内容的权限。当一个新的管理员用户“daniel”在板上时,我需要添加他的iam用户arn以在策略中被授予,同时不干扰策略文档的其他功能。下面是实现这一点的示例代码。以前,json中的by bucket策略如下:
{
"Id": "MyBucketPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AutomatedRestrictiveAccess",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::hailong-python/admin_folder/*",
"Principal": {
"AWS": [
"arn:aws:iam::888888888888:user/bob",
"arn:aws:iam::888888888888:user/jack"
]
}
},
{
"Sid": "GenerallyGrantingAccess",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::hailong-python/shared_files/*",
"Principal": {
"AWS": [
"888888888888"
]
}
},
{
"Sid": "DenyNonHTTPSTrafic",
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::hailong-python/*",
"Principal": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
在python中修改策略的示例代码
import boto3
from awspolicy import BucketPolicy
s3_client = boto3.client('s3')
bucket_name = 'hailong-python'
# Load the bucket policy as an object
bucket_policy = BucketPolicy(serviceModule=s3_client, resourceIdentifer=bucket_name)
# Select the statement that will be modified
statement_to_modify = bucket_policy.select_statement('AutomatedRestrictiveAccess')
# Insert new_user_arn into the list of Principal['AWS']
new_user_arn = 'arn:aws:iam::888888888888:user/daniel'
statement_to_modify.Principal['AWS'].append(new_user_arn)
# Save change of the statement
statement_to_modify.save()
# Save change of the policy. This will update the bucket policy
statement_to_modify.source_policy.save() # Or bucket_policy.save()
运行代码后,新用户将添加到语句中:
{
"Version": "2012-10-17",
"Id": "MyBucketPolicy",
"Statement": [
{
"Sid": "AutomatedRestrictiveAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::888888888888:user/daniel",
"arn:aws:iam::888888888888:user/jack",
"arn:aws:iam::888888888888:user/bob"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::hailong-python/admin_folder/*"
},
{
"Sid": "GenerallyGrantingAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::888888888888:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::hailong-python/shared_files/*"
},
{
"Sid": "DenyNonHTTPSTrafic",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::hailong-python/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
类的更多用法
# Policy
policy.fill_up_sids() # Generate Sids to the statements that don't have one. This updates the policy documents
policy.select_statement(sid) # Selecting a statement giving Sid. It returns None if didn't find one
policy.reload() # Reload the policy document. This triggers getting the policy from AWS
policy.save() # Upload the current policy document to AWS
policy.sids # A list of statement Ids of the policy
policy.content # Policy content in dict
# Statement
statement.reload() # Reconstruct the statement content from the loaded Policy
statement.save() # Save changes of the statement
statement.content # Statement content in dict
statement.source_policy # Referring to the policy object which this statement belongs to
## Fields of the statement. In the type of dict or string
statement.Sid
statement.Effect
statement.Principal
statement.Action
statement.Resource
statement.Condition
片段中的更多示例用法:
# Modules to modify AWS resource based policies as an object based Sid
# Supported: KMS CMK policy, S3 bucket policy, IAM Role trust relationship
import json, boto3
from awspolicy import BucketPolicy, KmsPolicy, IamRoleTrustPolicy
### Update KMS Key policy to allow a new account using CMK in centralized auditing account
kms = boto3.client('kms')
cmk_policy = KmsPolicy(serviceModule=kms, resourceIdentifer='xxxxe011-a1ff-4460-8942-02da951xxxx')
statement = cmk_policy.select_statement('AllowCloudTrailEncryptCrossAccountLogs')
statement.Condition['StringLike']['kms:EncryptionContext:aws:cloudtrail:arn'] += [u'arn:aws:cloudtrail:*:888888888888:trail/*']
statement.save()
statement.source_policy.save()
### Update S3 bucket policy from a STS session to allow a new account using CMK in centralized auditing account
s3 = session.client('s3')
bucket_policy = BucketPolicy(serviceModule=s3, resourceIdentifer='hailong-cloudtrail')
statement = bucket_policy.select_statement('CloudTrailCrossAccountPermission')
to_add_resource = 'arn:aws:s3:::hailong-cloudtrail/AWSLogs/888888888888/*'
if to_add_resource not in statement.Resource:
statement.Resource += ['arn:aws:s3:::hailong-cloudtrail/AWSLogs/888888888888/*']
statement.save()
statement.source_policy.save()
### Update IAM Role trusted relationship to remove Condition from a statement
iam = boto3.client('iam')
role_trust_policy = IamRoleTrustPolicy(serviceModule=iam, resourceIdentifer='EC2ReadOnly')
s = role_trust_policy.select_statement('CrossAccount')
s.Conditon = None
s.save()
s.source_policy.save()
待办事项
这是一个非常简单的包裹,我希望可以帮助别人。如果需要的话,我们可以用一个允许与aws策略进行更多交互的工具来包装它。目前,它只适用于三种基于资源的策略s3、kms和iam role。通过一些重组,它可以扩展到其他领域,如iam基于主体的策略等。请让我知道,如果你发现任何错误或想贡献。