Querying

querying.all

IAM Database queries that are not specific to either the Actions, ARNs, or Condition Keys tables.

policy_sentry.querying.all.get_all_actions(db_session)

Gets a huge list of all IAM actions. This is used as part of the policyuniverse approach to minimizing IAM Policies to meet AWS-mandated character limits on policies.

Parameters:db_session – SQLAlchemy database session object
Returns:A list of all actions present in the database.
policy_sentry.querying.all.get_all_service_prefixes(db_session)

Gets all the AWS service prefixes from the actions table.

If the action table does NOT have specific IAM actions (and therefore only supports * actions), then it will not be included in the response.

Parameters:db_session – The SQLAlchemy database session
Returns:A list of all AWS service prefixes present in the table.

querying.actions

Methods that execute specific queries against the SQLite database for the ACTIONS table. This supports the policy_sentry query functionality

policy_sentry.querying.actions.get_action_data(db_session, service, name)

Get details about an IAM Action in JSON format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
  • name – The name of an AWS IAM action, like GetObject.
Returns:

A dictionary containing metadata about an IAM Action.
policy_sentry.querying.actions.get_actions_for_service(db_session, service)

Get a list of available actions per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of actions
policy_sentry.querying.actions.get_actions_matching_condition_key(db_session, service, condition_key)

Get a list of actions under a service that allow the use of a specified condition key

Parameters:
  • db_session – SQLAlchemy database session
  • service – A single AWS service prefix
  • condition_key – The condition key to look for.
Returns:

A list of actions
policy_sentry.querying.actions.get_actions_that_support_wildcard_arns_only(db_session, service)

Get a list of actions that do not support restricting the action to resource ARNs.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
Returns:

A list of actions
policy_sentry.querying.actions.get_actions_with_access_level(db_session, service, access_level)

Get a list of actions in a service under different access levels.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
  • access_level – An access level as it is written in the database, such as ‘Read’, ‘Write’, ‘List’, ‘Permisssions Management’, or ‘Tagging’
Returns:

A list of actions
policy_sentry.querying.actions.get_actions_with_arn_type_and_access_level(db_session, service, resource_type_name, access_level)

Get a list of actions in a service under different access levels, specific to an ARN format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
  • resource_type_name – The ARN type name, like bucket or key
Returns:

A list of actions
policy_sentry.querying.actions.get_dependent_actions(db_session, actions_list)

Given a list of IAM Actions, query the database to determine if the action has dependent actions in the fifth column of the Resources, Actions, and Condition keys tables. If it does, add the dependent actions to the list, and return the updated list.

To get dependent actions for a single given IAM action, just provide the action as a list with one item, like this: get_dependent_actions(db_session, [‘kms:CreateCustomKeystore’])

Parameters:
  • db_session – SQLAlchemy database session object
  • actions_list – A list of actions to use in querying the database for dependent actions
Returns:

Updated list of actions, including dependent actions if applicable.
policy_sentry.querying.actions.remove_actions_not_matching_access_level(db_session, actions_list, access_level)

Given a list of actions, return a list of actions that match an access level

Parameters:
  • db_session – The SQLAlchemy database session
  • actions_list – A list of actions
  • access_level – ‘read’, ‘write’, ‘list’, ‘tagging’, or ‘permissions-management’
Returns:

Updated list of actions, where the actions not matching the requested access level are removed.

querying.arns

Methods that execute specific queries against the SQLite database for the ARN table. This supports the policy_sentry query functionality

policy_sentry.querying.arns.get_arn_type_details(db_session, service, name)

Get details about a resource ARN type name in JSON format. yo. stuff.

more.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
  • name – The name of a resource type, like bucket or object
Returns:

Metadata about an ARN type
policy_sentry.querying.arns.get_arn_types_for_service(db_session, service)

Get a list of available ARN short names per AWS service.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of ARN types, like bucket or object
policy_sentry.querying.arns.get_raw_arns_for_service(db_session, service)

Get a list of available raw ARNs per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of raw ARNs

querying.conditions

Methods that execute specific queries against the SQLite database for the CONDITIONS table. This supports the policy_sentry query functionality

policy_sentry.querying.conditions.get_condition_key_details(db_session, service, condition_key_name)

Get details about a specific condition key in JSON format

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like ec2 or kms
  • condition_key_name – The name of a condition key, like ec2:Vpc
Returns:

Metadata about the condition key
policy_sentry.querying.conditions.get_condition_keys_for_service(db_session, service)

Get a list of available conditions per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of condition keys