Utilities

util.policy_files

A few methods for parsing policies.

policy_sentry.util.policy_files.get_actions_from_json_policy_file(file)

read the json policy file and return a list of actions

policy_sentry.util.policy_files.get_actions_from_policy(data)

Given a policy dictionary, create a list of the actions

policy_sentry.util.policy_files.get_actions_from_statement(statement)

Given a statement dictionary, create a list of the actions

util.arns

Functions to use for parsing ARNs, matching ARN types, and getting the right fragment/component from an ARN string,

policy_sentry.util.arns.arn_has_colons(arn)

Given an ARN, determine if the ARN has colons in it. Just useful for the hacky methods for parsing ARN namespaces. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more details on ARN namespacing.

policy_sentry.util.arns.arn_has_slash(arn)

Given an ARN, determine if the ARN has a stash in it. Just useful for the hacky methods for parsing ARN namespaces. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more details on ARN namespacing.

policy_sentry.util.arns.does_arn_match(arn_to_test, arn_in_database)

Given two ARNs, determine if they match. The cases supported are outlined below.

Case 1: arn:partition:service:region:account-id:resource

Case 2: arn:partition:service:region:account-id:resourcetype/resource

Case 3: arn:partition:service:region:account-id:resourcetype/resource/qualifier

Case 4: arn:partition:service:region:account-id:resourcetype/resource:qualifier

Case 5: arn:partition:service:region:account-id:resourcetype:resource

Case 6: arn:partition:service:region:account-id:resourcetype:resource:qualifier

Source: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns

Parameters:arn – ARN to parse
Returns:result of whether or not the ARNs match
policy_sentry.util.arns.get_account_from_arn(arn)

Given an ARN, return the account ID in the ARN, if it is available. In certain cases like S3 it is not

policy_sentry.util.arns.get_partition_from_arn(arn)

Given an ARN string, return the partition string. This is usually aws unless you are in C2S or AWS GovCloud.

policy_sentry.util.arns.get_region_from_arn(arn)

Given an ARN, return the region in the ARN, if it is available. In certain cases like S3 it is not

policy_sentry.util.arns.get_resource_from_arn(arn)

Given an ARN, parse it according to ARN namespacing and return the resource. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more details on ARN namespacing.

policy_sentry.util.arns.get_resource_path_from_arn(arn)

Given an ARN, parse it according to ARN namespacing and return the resource path. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more details on ARN namespacing.

policy_sentry.util.arns.get_service_from_arn(arn)

Given an ARN string, return the service

policy_sentry.util.arns.parse_arn(arn)

Given an ARN, split up the ARN into the ARN namespacing schema dictated by the AWS docs.

util.file

Functions that relate to manipulating files, loading files, and managing filepaths.

policy_sentry.util.file.check_valid_file_path(file)

Checks if the file path is valid.

Parameters:file – The file to check.
Returns:True if it exists, False if it does not
Return type:bool
policy_sentry.util.file.create_directory_if_it_doesnt_exist(directory)

Equivalent of mkdir -p

policy_sentry.util.file.list_files_in_directory(directory)

Equivalent of ls command, and return the list of files

policy_sentry.util.file.read_this_file(filename)

Read a file at a path and return the lines from each file

policy_sentry.util.file.read_yaml_file(filename)

Reads a YAML file, safe loads, and returns the dictionary

Parameters:filename – name of the yaml file
Returns:dictionary of YAML file contents
policy_sentry.util.file.write_json_file(filename, json_contents)

Description: Writes a YAML file :param json_contents: a dictionary used to build the JSON. This is the IAM Policy built by write_policy functions. :param filename: name of the yaml file, which should include the path

util.actions

Text operations specific to IAM actions

policy_sentry.util.actions.get_action_name_from_action(action)

Returns the lowercase action name from a service:action combination :param action: ec2:DescribeInstance :return: describeinstance

policy_sentry.util.actions.get_full_action_name(service, action_name)

Gets the proper formatting for an action - the service, plus colon, plus action name. :param service: service name, like s3 :param action_name: action name, like createbucket :return: the resulting string

policy_sentry.util.actions.get_lowercase_action_list(action_list)

Given a list of actions, return the list but in lowercase format

policy_sentry.util.actions.get_service_from_action(action)

Returns the service name from a service:action combination :param action: ec2:DescribeInstance :return: ec2