Policy Minimization
The documentation on policy minimization is relevant to this library content. That documentation can be found here.
Note: The most relevant content from here is the minimize_statement_actions
function.
Real-life usage of this function can be found in the command.write_policy
module.
writing.minimize
Functions for Minimizing statements, heavily borrowed from policyuniverse. https://github.com/Netflix-Skunkworks/policyuniverse/
IAM Policies have character limits, which apply to individual policies, and there are also limits on the total aggregate policy sizes. As such, it is not possible to use exhaustive list of explicit IAM actions. To have granular control of specific IAM policies, we must use wildcards on IAM Actions, only in a programmatic manner.
This is typically performed by humans by reducing policies to s3:Get, ec2:Describe, and other approaches of the sort.
Netflix's PolicyUniverse has addressed this in their minimization code. We borrowed this logic from their code and modified it a bit to fit our needs.
https://aws.amazon.com/iam/faqs/ Q: How many policies can I attach to an IAM role? * For inline policies: You can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits: - User policy size cannot exceed 2,048 characters. - Role policy size cannot exceed 10,240 characters. - Group policy size cannot exceed 5,120 characters. * For managed policies: You can add up to 10 managed policies to a user, role, or group. * The size of each managed policy cannot exceed 6,144 characters.
_get_prefixes_for_action(action)
:param action: iam:cat :return: [ "iam:", "iam:c", "iam:ca", "iam:cat" ]
Source code in policy_sentry/writing/minimize.py
34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
|
check_min_permission_length(permission, minchars=None)
Adapted version of policyuniverse's _check_permission_length. We are commenting out the skipping prefix message https://github.com/Netflix-Skunkworks/policyuniverse/blob/master/policyuniverse/expander_minimizer.py#L111
Source code in policy_sentry/writing/minimize.py
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
|
get_denied_prefixes_from_desired(desired_actions, all_actions)
Adapted version of policyuniverse's _get_denied_prefixes_from_desired, here: https://github.com/Netflix-Skunkworks/policyuniverse/blob/master/policyuniverse/expander_minimizer.py#L101
Source code in policy_sentry/writing/minimize.py
52 53 54 55 56 57 58 59 60 61 62 63 64 |
|
minimize_statement_actions(desired_actions, all_actions, minchars=None)
This is a condensed version of policyuniverse's minimize_statement_actions, changed for our purposes. https://github.com/Netflix-Skunkworks/policyuniverse/blob/master/policyuniverse/expander_minimizer.py#L123
Source code in policy_sentry/writing/minimize.py
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
|