没有项目描述
PolicyTools的Python项目详细描述
政策工具
摘要
这是用于使用aws iam策略的辅助工具的实用程序。
目前,它以编程方式确定aws组织的效果 Service Control Policy 在给定的用户策略上。
result=scp.effect_on(user_policy)printresult.denied_actions
用法
创建“所有IAM操作”集
# policies-gen.json.js is the content of https://awspolicygen.s3.amazonaws.com/js/policies.jswithopen('policies-gen.json.js')asfile_stream:all_actions_source_data=file_stream.read()
创建actionexpander实用程序。它只需将glob语句(例如s3:*
)扩展为完全匹配的iam操作集。
policy_actions_expander=ActionExpander(PolicyGenActionsMasterList(all_actions_source_data))
创建用户策略和服务控制策略
user_policy=Policy("""{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSts", "Effect": "Allow", "Resource": "*", "Action": [ "sqs:*" ] }, { "Sid": "AllowEfs", "Effect": "Allow", "Resource": "*", "Action": [ "elastictranscoder:*" ] } ] }""",action_expander)scp=ServiceControlPolicy("""{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3Read", "Effect": "Allow", "Resource": "*", "Action": [ "sqs:Get*", "sqs:List*" ] }, { "Sid": "AllowElasticTranscoderRead", "Effect": "Allow", "Resource": "*", "Action": [ "elastictranscoder:Read*", "elastictranscoder:List*" ] } ] }""",action_expander)
确定SCP对用户策略的影响
result=scp.effect_on(user_policy)printresult.denied_actions{'sqs:SetQueueAttributes','sqs:PurgeQueue','sqs:DeleteMessageBatch','sqs:ReceiveMessage','sqs:RemovePermission','sqs:ChangeMessageVisibilityBatch','sqs:SendMessageBatch','sqs:CreateQueue','sqs:TagQueue','sqs:AddPermission','sqs:UntagQueue','sqs:SendMessage','sqs:DeleteMessage','sqs:ChangeMessageVisibility','sqs:DeleteQueue','elastictranscoder:TestRole','elastictranscoder:CreatePipeline','elastictranscoder:DeletePipeline','elastictranscoder:UpdatePipelineNotifications','elastictranscoder:DeletePreset','elastictranscoder:CancelJob','elastictranscoder:CreateJob','elastictranscoder:UpdatePipelineStatus','elastictranscoder:CreatePreset','elastictranscoder:UpdatePipeline'}