分析和处理aws iam策略、语句、arn和通配符。
policyuniverse的Python项目详细描述
政策宇宙
此包提供用于分析AWS IAM和资源策略的类
此外,这个包可以使用从aws策略生成器获得的权限来扩展aws策略中的通配符。
请参阅Service and Permissions data。
此包还可以缩小aws策略,以帮助您保持在策略大小限制之下。如果可能的话,避免这样做,因为这会造成糟糕的政策?
安装:
pip install policyuniverse
用法:
阅读ARNs
frompolicyuniverse.arnimportARNarn=ARN('arn:aws:iam::012345678910:role/SomeTestRoleForTesting')assertarn.error==Falseassertarn.tech=='iam'assertarn.region==''# IAM is universal/globalassertarn.account_number=='012345678910'assertarn.name=='role/SomeTestRoleForTesting'assertarn.partition=='aws'assertarn.root==False# Not the root ARNassertarn.service==False# Not an AWS service like lambda.amazonaws.comarn=ARN('012345678910')assertarn.account_number=='012345678910'arn=ARN('lambda.amazonaws.com')assertarn.service==Trueassertarn.tech=='lambda'
IAM和资源策略
包含多个声明的策略
# Two statements, both with conditionspolicy05=dict(Version='2010-08-14',Statement=[dict(Effect='Allow',Principal='arn:aws:iam::012345678910:root',Action=['s3:*'],Resource='*',Condition={'IpAddress':{'AWS:SourceIP':['0.0.0.0/0']}}),dict(Effect='Allow',Principal='arn:aws:iam::*:role/Hello',Action=['ec2:*'],Resource='*',Condition={'StringLike':{'AWS:SourceOwner':'012345678910'}})])frompolicyuniverse.policyimportPolicyfrompolicyuniverse.statementimportConditionTuple,PrincipalTuplepolicy=Policy(policy05)assertpolicy.whos_allowed()==set([PrincipalTuple(category='principal',value='arn:aws:iam::*:role/Hello'),PrincipalTuple(category='principal',value='arn:aws:iam::012345678910:root'),ConditionTuple(category='cidr',value='0.0.0.0/0'),ConditionTuple(category='account',value='012345678910')])# The given policy is not internet accessible.# The first statement is limited by the principal, and the condition is basically a no-op.# The second statement has a wildcard principal, but uses the condition to lock it down.assertpolicy.is_internet_accessible()==False
互联网接入政策:
# An internet accessible policy:policy01=dict(Version='2012-10-08',Statement=dict(Effect='Allow',Principal='*',Action=['rds:*'],Resource='*',Condition={'IpAddress':{'AWS:SourceIP':['0.0.0.0/0']}}))policy=Policy(policy01)assertpolicy.is_internet_accessible()==Trueassertpolicy.internet_accessible_actions()==set(['rds:*'])
陈述
策略只是语句的集合。
statement12=dict(Effect='Allow',Principal='*',Action=['rds:*'],Resource='*',Condition={'StringEquals':{'AWS:SourceVPC':'vpc-111111','AWS:Sourcevpce':'vpce-111111','AWS:SourceOwner':'012345678910','AWS:SourceAccount':'012345678910'},'StringLike':{'AWS:userid':'AROAI1111111111111111:*'},'ARNLike':{'AWS:SourceArn':'arn:aws:iam::012345678910:role/Admin'},'IpAddressIfExists':{'AWS:SourceIP':['123.45.67.89','10.0.7.0/24','172.16.0.0/16']}})frompolicyuniverse.statementimportStatementfrompolicyuniverse.statementimportConditionTuple,PrincipalTuplestatement=Statement(statement12)assertstatement.effect=='Allow'assertstatement.actions==set(['rds:*'])# rds:* expands out to ~88 individual permissionsassertlen(statement.actions_expanded)==88assertstatement.uses_not_principal()==Falseassertstatement.principals==set(['*'])assertstatement.condition_arns==set(['arn:aws:iam::012345678910:role/Admin'])assertstatement.condition_accounts==set(['012345678910'])assertstatement.condition_userids==set(['AROAI1111111111111111:*'])assertstatement.condition_cidrs==set(['10.0.7.0/24','172.16.0.0/16','123.45.67.89'])assertstatement.condition_vpcs==set(['vpc-111111'])assertstatement.condition_vpces==set(['vpce-111111'])assertstatement.is_internet_accessible()==Falseassertstatement.whos_allowed()==set([PrincipalTuple(category='principal',value='*'),ConditionTuple(category='cidr',value='123.45.67.89'),ConditionTuple(category='account',value='012345678910'),ConditionTuple(category='userid',value='AROAI1111111111111111:*'),ConditionTuple(category='vpc',value='vpc-111111'),ConditionTuple(category='arn',value='arn:aws:iam::012345678910:role/Admin'),ConditionTuple(category='cidr',value='172.16.0.0/16'),ConditionTuple(category='vpce',value='vpce-111111'),ConditionTuple(category='cidr',value='10.0.7.0/24')])
行动类别
policy={"Statement":[{"Action":["s3:put*","sqs:get*","sns:*"],"Resource":"*","Effect":"Allow"}]}frompolicyuniverse.policyimportPolicyp=Policy(policy)fork,vinp.action_summary().items():print(k,v)>>>('s3',set([u'Write',u'Permissions',u'Tagging']))>>>('sqs',set([u'List']))>>>('sns',set([u'List',u'Read',u'Write',u'Permissions']))
可能的分类是Permissions
、Write
、Read
、Tagging
和List
。此数据可用于汇总语句和策略以及查找敏感权限。
扩大和缩小
frompolicyuniverse.expander_minimizerimportexpand_policyfrompolicyuniverse.expander_minimizerimportminimize_policypolicy={"Statement":[{"Action":["swf:res*"],"Resource":"*","Effect":"Allow"}]}expanded_policy=expand_policy(policy=policy)>>>Startsize:131.Endsize:286print(expanded_policy=={"Statement":[{"Action":["swf:respondactivitytaskcanceled","swf:respondactivitytaskcompleted","swf:respondactivitytaskfailed","swf:responddecisiontaskcompleted"],"Resource":"*","Effect":"Allow"}]})>>>Trueminimized_policy=minimize_policy(policy=expanded_policy,minchars=3)>>>Skippingprefixrbecauselengthof1>>>Skippingprefixrebecauselengthof2>>>Skippingprefixrbecauselengthof1>>>Skippingprefixrebecauselengthof2>>>Skippingprefixrbecauselengthof1>>>Skippingprefixrebecauselengthof2>>>Skippingprefixrbecauselengthof1>>>Skippingprefixrebecauselengthof2>>>Startsize:286.Endsize:131print(minimized_policy==policy)>>>True