Analyzing¶
analysis.analyze¶
Functions to support the analyze capability in this tool
-
policy_sentry.analysis.analyze.
analyze_by_access_level
(db_session, policy_json, access_level)¶ Determine if a policy has any actions with a given access level. This is particularly useful when determining who has ‘Permissions management’ level access
Parameters: - db_session – SQLAlchemy database session
- policy_json – a dictionary representing the AWS JSON policy
- access_level – The normalized access level - either ‘read’, ‘list’, ‘write’, ‘tagging’, or ‘permissions-management’
-
policy_sentry.analysis.analyze.
analyze_policy_file
(db_session, policy_file, account_id, from_audit_file, finding_type, excluded_role_patterns)¶ Given a policy file, determine risky actions based on a separate file containing a list of actions. If it matches a policy exclusion pattern from the report-config.yml file, that policy file will be skipped.
Parameters: - db_session – SQLAlchemy database session object
- policy_file – The path to the policy file to be evaluated
- account_id – The AWS Account ID
- from_audit_file – The file containing the list of problematic actions
- finding_type – The type of finding - resource_exposure, privilege_escalation, network_exposure, or credentials_exposure
- excluded_role_patterns – A RegEx pattern for excluding policy names from evaluation.
Returns: False if the policy name matches excluded role patterns, or if it does not, a dictionary containing the findings.
Return type: dict
-
policy_sentry.analysis.analyze.
analyze_statement_by_access_level
(db_session, statement_json, access_level)¶ Determine if a statement has any actions with a given access level.
Parameters: - db_session – SQLAlchemy database session
- statement_json – a dictionary representing a statement from an AWS JSON policy
- access_level – The normalized access level - either ‘read’, ‘list’, ‘write’, ‘tagging’, or ‘permissions-management’
-
policy_sentry.analysis.analyze.
determine_actions_to_expand
(db_session, action_list)¶ Determine if an action needs to get expanded from its wildcard
Parameters: - db_session – A SQLAlchemy database session object
- action_list – A list of actions
Returns: A list of actions
Return type: list
-
policy_sentry.analysis.analyze.
determine_risky_actions
(requested_actions, audit_file)¶ compare the actions in the policy against the audit file of high risk actions
Parameters: - requested_actions – A list of the actions that are requested by the policy under evaluation
- audit_file – The absolute path to the file that contains a list of IAM action to evaluate.
Returns: a list of any actions that are included in the file of risky actions
-
policy_sentry.analysis.analyze.
determine_risky_actions_from_list
(requested_actions, risky_actions)¶ compare the actions in the policy against a list of high risk actions
Parameters: - requested_actions – A list of the actions that are requested by the policy under evaluation
- risky_actions – A list of risky IAM actions to evaluate.
Returns: a list of any actions that are included in the file of risky actions
-
policy_sentry.analysis.analyze.
expand
(action, db_session)¶ expand the action wildcards into a full action
Parameters: - action – An action in the form with a wildcard - like s3:Get*, or s3:L*
- db_session – SQLAlchemy database session object
Returns: A list of all the expanded actions (like actions matching s3:Get*)
Return type: list
-
policy_sentry.analysis.analyze.
read_risky_iam_permissions_text_file
(audit_file)¶ read in the audit file of high risk actions
Parameters: audit_file – Path to the file containing a list of risky actions Return risky_actions: A list of actions from the file