Querying the IAM Database

The following are examples of how to leverage some of the functions available from Policy Sentry. The functions selected are likely to be of most interest to other developers.

These ones relate to querying the IAM database.

All

querying.all.get_all_services

#!/usr/bin/env python

from policy_sentry.querying.all import get_all_service_prefixes


if __name__ == '__main__':

    all_service_prefixes = get_all_service_prefixes()
    print(all_service_prefixes)

"""
Output:

A list of every service prefix (like 'kms' or 's3') available in the IAM database.
Note that this will not include services that do not support any ARN types, like AWS IQ.
"""

querying.all.get_all_actions

#!/usr/bin/env python

from policy_sentry.querying.all import get_all_actions


if __name__ == '__main__':

    all_actions = get_all_actions()
    print(all_actions)

"""
Output:

Every IAM action available across all services, without duplicates
"""

Actions

querying.actions.get_action_data

#!/usr/bin/env python

from policy_sentry.querying.actions import get_action_data
import json

if __name__ == '__main__':

    output = get_action_data('ram', 'createresourceshare')
    print(json.dumps(output, indent=4))

"""
Output:

{
    'ram': [
        {
            'action': 'ram:createresourceshare',
            'description': 'Create resource share with provided resource(s) and/or principal(s)',
            'access_level': 'Permissions management',
            'resource_arn_format': 'arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}',
            'condition_keys': [
                'ram:RequestedResourceType',
                'ram:ResourceArn',
                'ram:RequestedAllowsExternalPrincipals'
            ],
            'dependent_actions': None
        },
        {
            'action': 'ram:createresourceshare',
            'description': 'Create resource share with provided resource(s) and/or principal(s)',
            'access_level': 'Permissions management',
            'resource_arn_format': '*',
            'condition_keys': [
                'aws:RequestTag/${TagKey}',
                'aws:TagKeys'
            ],
            'dependent_actions': None
        }
    ]
}
"""

querying.actions.get_actions_for_service

#!/usr/bin/env python
from policy_sentry.querying.actions import get_actions_for_service
import json

if __name__ == '__main__':
    output = get_actions_for_service('cloud9')
    print(json.dumps(output, indent=4))

"""
Output:

[
    'ram:acceptresourceshareinvitation',
    'ram:associateresourceshare',
    'ram:createresourceshare',
    'ram:deleteresourceshare',
    'ram:disassociateresourceshare',
    'ram:enablesharingwithawsorganization',
    'ram:rejectresourceshareinvitation',
    'ram:updateresourceshare'
]
"""

querying.actions.get_actions_matching_condition_key

#!/usr/bin/env python

from policy_sentry.querying.actions import get_actions_matching_condition_key
import json

if __name__ == '__main__':

    output = get_actions_matching_condition_key("ses", "ses:FeedbackAddress")
    print(json.dumps(output, indent=4))

"""
Output:

[
    'ses:sendemail',
    'ses:sendbulktemplatedemail',
    'ses:sendcustomverificationemail',
    'ses:sendemail',
    'ses:sendrawemail',
    'ses:sendtemplatedemail'
]
"""

querying.actions.get_actions_supporting_wilcards_only

#!/usr/bin/env python

from policy_sentry.querying.actions import get_actions_matching_condition_key
import json

if __name__ == '__main__':

    output = get_actions_matching_condition_key("ses", "ses:FeedbackAddress")
    print(json.dumps(output, indent=4))

"""
Output:

[
    'ses:sendemail',
    'ses:sendbulktemplatedemail',
    'ses:sendcustomverificationemail',
    'ses:sendemail',
    'ses:sendrawemail',
    'ses:sendtemplatedemail'
]
"""

querying.actions.get_actions_with_access_levels

#!/usr/bin/env python

from policy_sentry.querying.actions import get_actions_with_access_level
import json

if __name__ == '__main__':

    output = get_actions_with_access_level('s3', 'Permissions management')
    print(json.dumps(output, indent=4))

"""
Output:

    s3:bypassgovernanceretention
    s3:deleteaccesspointpolicy
    s3:deletebucketpolicy
    s3:objectowneroverridetobucketowner
    s3:putaccesspointpolicy
    s3:putaccountpublicaccessblock
    s3:putbucketacl
    s3:putbucketpolicy
    s3:putbucketpublicaccessblock
    s3:putobjectacl
    s3:putobjectversionacl
"""

querying.actions.get_actions_with_arn_type_and_access_level

#!/usr/bin/env python

from policy_sentry.querying.actions import get_actions_with_arn_type_and_access_level
import json

if __name__ == '__main__':

    output = get_actions_with_arn_type_and_access_level("ram", "resource-share", "Permissions management")
    print(json.dumps(output, indent=4))

"""
Output:

[
    'ram:associateresourceshare',
    'ram:createresourceshare',
    'ram:deleteresourceshare',
    'ram:disassociateresourceshare',
    'ram:updateresourceshare'
]
"""

querying.actions.get_dependent_actions

#!/usr/bin/env python

from policy_sentry.querying.actions import get_dependent_actions
import json

if __name__ == '__main__':

    output = get_dependent_actions(["ec2:associateiaminstanceprofile"])
    print(json.dumps(output, indent=4))

"""
Output:

[
    "iam:passrole"
]
"""

ARNs

querying.arns.get_arn_type_details

#!/usr/bin/env python

from policy_sentry.querying.arns import get_arn_type_details
import json

if __name__ == '__main__':

    output = get_arn_type_details("cloud9", "environment")
    print(json.dumps(output, indent=4))

"""
Output:

{
    "resource_type_name": "environment",
    "raw_arn": "arn:${Partition}:cloud9:${Region}:${Account}:environment:${ResourceId}",
    "condition_keys": None
}
"""

querying.arns.get_arn_types_for_service

#!/usr/bin/env python

from policy_sentry.querying.arns import get_arn_types_for_service
import json

if __name__ == '__main__':

    output = get_arn_types_for_service("s3")
    print(json.dumps(output, indent=4))

"""
Output:

{
    "accesspoint": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
    "bucket": "arn:${Partition}:s3:::${BucketName}",
    "object": "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
    "job": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}",
}
"""

querying.arns.get_raw_arns_for_service

#!/usr/bin/env python

from policy_sentry.querying.arns import get_raw_arns_for_service
import json

if __name__ == '__main__':

    output = get_raw_arns_for_service("s3")
    print(json.dumps(output, indent=4))

"""
Output:

[
    "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}",
    "arn:${Partition}:s3:::${BucketName}",
    "arn:${Partition}:s3:::${BucketName}/${ObjectName}",
    "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}"
]
"""

Conditions

querying.conditions.get_condition_key_details

#!/usr/bin/env python

from policy_sentry.querying.conditions import get_condition_key_details
import json

if __name__ == '__main__':

    output = get_condition_key_details("cloud9", "cloud9:Permissions")
    print(json.dumps(output, indent=4))

"""
Output:

{
    "name": "cloud9:Permissions",
    "description": "Filters access by the type of AWS Cloud9 permissions",
    "condition_value_type": "string"
}
"""

querying.conditions.get_condition_keys_for_service

#!/usr/bin/env python

from policy_sentry.querying.conditions import get_condition_keys_for_service
import json

if __name__ == '__main__':

    output = get_condition_keys_for_service("cloud9")
    print(json.dumps(output, indent=4))

"""
Output:

[
    'cloud9:EnvironmentId',
    'cloud9:EnvironmentName',
    'cloud9:InstanceType',
    'cloud9:Permissions',
    'cloud9:SubnetId',
    'cloud9:UserArn'
]
"""