Analyzing

analysis.analyze

Functions to support the analyze capability in this tool

policy_sentry.analysis.analyze.analyze_by_access_level(db_session, policy_json, access_level)

Determine if a policy has any actions with a given access level. This is particularly useful when determining who has ‘Permissions management’ level access

Parameters:
  • db_session – SQLAlchemy database session
  • policy_json – a dictionary representing the AWS JSON policy
  • access_level – The normalized access level - either ‘read’, ‘list’, ‘write’, ‘tagging’, or ‘permissions-management’
policy_sentry.analysis.analyze.analyze_policy_file(db_session, policy_file, account_id, from_audit_file, finding_type, excluded_role_patterns)

Given a policy file, determine risky actions based on a separate file containing a list of actions. If it matches a policy exclusion pattern from the report-config.yml file, that policy file will be skipped.

Parameters:
  • db_session – SQLAlchemy database session object
  • policy_file – The path to the policy file to be evaluated
  • account_id – The AWS Account ID
  • from_audit_file – The file containing the list of problematic actions
  • finding_type – The type of finding - resource_exposure, privilege_escalation, network_exposure, or credentials_exposure
  • excluded_role_patterns – A RegEx pattern for excluding policy names from evaluation.
Returns:

False if the policy name matches excluded role patterns, or if it does not, a dictionary containing the findings.

Return type:

dict

policy_sentry.analysis.analyze.analyze_statement_by_access_level(db_session, statement_json, access_level)

Determine if a statement has any actions with a given access level.

Parameters:
  • db_session – SQLAlchemy database session
  • statement_json – a dictionary representing a statement from an AWS JSON policy
  • access_level – The normalized access level - either ‘read’, ‘list’, ‘write’, ‘tagging’, or ‘permissions-management’
policy_sentry.analysis.analyze.determine_actions_to_expand(db_session, action_list)

Determine if an action needs to get expanded from its wildcard

Parameters:
  • db_session – A SQLAlchemy database session object
  • action_list – A list of actions
Returns:

A list of actions

Return type:

list

policy_sentry.analysis.analyze.determine_risky_actions(requested_actions, audit_file)

compare the actions in the policy against the audit file of high risk actions

Parameters:
  • requested_actions – A list of the actions that are requested by the policy under evaluation
  • audit_file – The absolute path to the file that contains a list of IAM action to evaluate.
Returns:

a list of any actions that are included in the file of risky actions

policy_sentry.analysis.analyze.determine_risky_actions_from_list(requested_actions, risky_actions)

compare the actions in the policy against a list of high risk actions

Parameters:
  • requested_actions – A list of the actions that are requested by the policy under evaluation
  • risky_actions – A list of risky IAM actions to evaluate.
Returns:

a list of any actions that are included in the file of risky actions

policy_sentry.analysis.analyze.expand(action, db_session)

expand the action wildcards into a full action

Parameters:
  • action – An action in the form with a wildcard - like s3:Get*, or s3:L*
  • db_session – SQLAlchemy database session object
Returns:

A list of all the expanded actions (like actions matching s3:Get*)

Return type:

list

policy_sentry.analysis.analyze.read_risky_iam_permissions_text_file(audit_file)

read in the audit file of high risk actions

Parameters:audit_file – Path to the file containing a list of risky actions
Return risky_actions:
 A list of actions from the file