Querying

querying.all

IAM Database queries that are not specific to either the Actions, ARNs, or Condition Keys tables.

policy_sentry.querying.all.get_all_actions(db_session)

Gets a huge list of all IAM actions. This is used as part of the policyuniverse approach to minimizing IAM Policies to meet AWS-mandated character limits on policies.

Parameters:db_session – SQLAlchemy database session object
Returns:A list of all actions present in the database.
policy_sentry.querying.all.get_all_service_prefixes(db_session)

Gets all the AWS service prefixes from the actions table.

If the action table does NOT have specific IAM actions (and therefore only supports * actions), then it will not be included in the response.

Parameters:db_session – The SQLAlchemy database session
Returns:A list of all AWS service prefixes present in the table.

querying.actions

Methods that execute specific queries against the SQLite database for the ACTIONS table. This supports the policy_sentry query functionality

policy_sentry.querying.actions.get_action_data(db_session, service, name)

Get details about an IAM Action in JSON format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
  • name – The name of an AWS IAM action, like GetObject. To get data about all actions in a service, specify “*”
Returns:

A dictionary containing metadata about an IAM Action.

policy_sentry.querying.actions.get_actions_at_access_level_that_support_wildcard_arns_only(db_session, service, access_level)

Get a list of actions at an access level that do not support restricting the action to resource ARNs.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
  • access_level – An access level as it is written in the database, such as ‘Read’, ‘Write’, ‘List’, ‘Permisssions management’, or ‘Tagging’
Returns:

A list of actions

policy_sentry.querying.actions.get_actions_for_service(db_session, service)

Get a list of available actions per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of actions

policy_sentry.querying.actions.get_actions_matching_condition_crud_and_arn(db_session, condition_key, access_level, raw_arn)

Get a list of IAM Actions matching a condition key, CRUD level, and raw ARN format.

Parameters:
  • db_session – SQL Alchemy database session
  • condition_key – A condition key, like aws:TagKeys
  • access_level – Access level that matches the database value. “Read”, “Write”, “List”, “Tagging”, or “Permissions management”
  • raw_arn – The raw ARN format in the database, like arn:${Partition}:s3:::${BucketName}
Returns:

List of IAM Actions

policy_sentry.querying.actions.get_actions_matching_condition_key(db_session, service, condition_key)

Get a list of actions under a service that allow the use of a specified condition key

Parameters:
  • db_session – SQLAlchemy database session
  • service – A single AWS service prefix
  • condition_key – The condition key to look for.
Returns:

A list of actions

policy_sentry.querying.actions.get_actions_that_support_wildcard_arns_only(db_session, service)

Get a list of actions that do not support restricting the action to resource ARNs.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
Returns:

A list of actions

policy_sentry.querying.actions.get_actions_with_access_level(db_session, service, access_level)

Get a list of actions in a service under different access levels.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
  • access_level – An access level as it is written in the database, such as ‘Read’, ‘Write’, ‘List’, ‘Permisssions management’, or ‘Tagging’
Returns:

A list of actions

policy_sentry.querying.actions.get_actions_with_arn_type_and_access_level(db_session, service, resource_type_name, access_level)

Get a list of actions in a service under different access levels, specific to an ARN format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – A single AWS service prefix, like s3 or kms
  • resource_type_name – The ARN type name, like bucket or key
Returns:

A list of actions

policy_sentry.querying.actions.get_dependent_actions(db_session, actions_list)

Given a list of IAM Actions, query the database to determine if the action has dependent actions in the fifth column of the Resources, Actions, and Condition keys tables. If it does, add the dependent actions to the list, and return the updated list.

It includes the original action in there as well. So, if you supply kms:CreateCustomKeyStore, it will give you kms:CreateCustomKeyStore as well as cloudhsm:DescribeClusters

To get dependent actions for a single given IAM action, just provide the action as a list with one item, like this: get_dependent_actions(db_session, [‘kms:CreateCustomKeystore’])

Parameters:
  • db_session – SQLAlchemy database session object
  • actions_list – A list of actions to use in querying the database for dependent actions
Returns:

Updated list of actions, including dependent actions if applicable.

policy_sentry.querying.actions.remove_actions_not_matching_access_level(db_session, actions_list, access_level)

Given a list of actions, return a list of actions that match an access level

Parameters:
  • db_session – The SQLAlchemy database session
  • actions_list – A list of actions
  • access_level – ‘read’, ‘write’, ‘list’, ‘tagging’, or ‘permissions-management’
Returns:

Updated list of actions, where the actions not matching the requested access level are removed.

policy_sentry.querying.actions.remove_actions_that_are_not_wildcard_arn_only(db_session, actions_list)

Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.

Parameters:
  • db_session – SQL Alchemy database session object
  • actions_list – A list of actions
Returns:

An updated list of actions

Return type:

list

querying.arns

Methods that execute specific queries against the SQLite database for the ARN table. This supports the policy_sentry query functionality

policy_sentry.querying.arns.get_arn_data(db_session, service, name)

Get details about ARNs in JSON format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
  • name – The name of a resource type, like bucket or object. To get details on ALL arns in a service, specify “*” here.
Returns:

Metadata about an ARN type

policy_sentry.querying.arns.get_arn_type_details(db_session, service, name)

Get details about a resource ARN type name in JSON format.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
  • name – The name of a resource type, like bucket or object
Returns:

Metadata about an ARN type

policy_sentry.querying.arns.get_arn_types_for_service(db_session, service)

Get a list of available ARN short names per AWS service.

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of ARN types, like bucket or object

policy_sentry.querying.arns.get_raw_arns_for_service(db_session, service)

Get a list of available raw ARNs per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of raw ARNs

policy_sentry.querying.arns.get_resource_type_name_with_raw_arn(db_session, raw_arn)

Given a raw ARN, return the resource type name as shown in the database.

Parameters:
  • db_session – SQLAlchemy database session object
  • raw_arn – The raw ARN stored in the database, like ‘arn:${Partition}:s3:::${BucketName}’
Returns:

The resource type name, like bucket

querying.conditions

Methods that execute specific queries against the SQLite database for the CONDITIONS table. This supports the policy_sentry query functionality

policy_sentry.querying.conditions.get_condition_key_details(db_session, service, condition_key_name)

Get details about a specific condition key in JSON format

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like ec2 or kms
  • condition_key_name – The name of a condition key, like ec2:Vpc
Returns:

Metadata about the condition key

policy_sentry.querying.conditions.get_condition_keys_available_to_raw_arn(db_session, raw_arn)

Get a list of condition keys available to a RAW ARN

Parameters:
  • db_session – SQLAlchemy database session object
  • raw_arn – The value in the database, like arn:${Partition}:s3:::${BucketName}/${ObjectName}
policy_sentry.querying.conditions.get_condition_keys_for_service(db_session, service)

Get a list of available conditions per AWS service

Parameters:
  • db_session – SQLAlchemy database session object
  • service – An AWS service prefix, like s3 or kms
Returns:

A list of condition keys

policy_sentry.querying.conditions.get_condition_value_type(db_session, condition_key)

Get the data type of the condition key - like Date, String, etc. :param db_session: SQLAlchemy database session object :param condition_key: A condition key, like a4b:filters_deviceType :return:

policy_sentry.querying.conditions.get_conditions_for_action_and_raw_arn(db_session, action, raw_arn)

Get a list of conditions available to an action.

Parameters:
  • db_session – SQLAlchemy database session object
  • action – The IAM action, like s3:GetObject
  • raw_arn – The raw ARN format specific to the action
Returns: