

IAM Database queries that are not specific to either the Actions, ARNs, or Condition Keys tables.


Gets a huge list of all IAM actions. This is used as part of the policyuniverse approach to minimizing IAM Policies to meet AWS-mandated character limits on policies.

Parameters:lowercase – Set to true to have the list of actions be in all lowercase strings.
Returns:A list of all actions present in the database.

Gets all the AWS service prefixes from the actions table.

If the action table does NOT have specific IAM actions (and therefore only supports * actions), then it will not be included in the response.

Returns:A list of all AWS service prefixes present in the table.


Methods that execute specific queries against the SQLite database for the ACTIONS table. This supports the Policy Sentry query functionality


Get details about an IAM Action in JSON format.

  • service – An AWS service prefix, like s3 or kms. Case insensitive.
  • action_name – The name of an AWS IAM action, like GetObject. To get data about all actions in a service, specify “*”. Case insensitive.

A dictionary containing metadata about an IAM Action.

policy_sentry.querying.actions.get_actions_at_access_level_that_support_wildcard_arns_only(service_prefix, access_level)

Get a list of actions at an access level that do not support restricting the action to resource ARNs. Set service to “all” to get a list of actions across all services.

  • service_prefix – A single AWS service prefix, like s3 or kms
  • access_level – An access level as it is written in the database, such as ‘Read’, ‘Write’, ‘List’, ‘Permisssions management’, or ‘Tagging’

A list of actions


Get a list of available actions per AWS service

Parameters:service_prefix – An AWS service prefix, like s3 or kms
Returns:A list of actions

Given a user-supplied arn, get a list of all actions that can match it.

policy_sentry.querying.actions.get_actions_matching_condition_key(service_prefix, condition_key)

Get a list of actions under a service that allow the use of a specified condition key

  • service_prefix – A single AWS service prefix
  • condition_key – The condition key to look for.

A list of actions


Get a list of actions that do not support restricting the action to resource ARNs. Set service to “all” to get a list of actions across all services.

Parameters:service_prefix – A single AWS service prefix, like s3 or kms
Returns:A list of actions
policy_sentry.querying.actions.get_actions_with_access_level(service_prefix, access_level)

Get a list of actions in a service under different access levels.

  • service_prefix – A single AWS service prefix, like s3 or kms
  • access_level – An access level as it is written in the database, such as ‘Read’, ‘Write’, ‘List’, ‘Permisssions management’, or ‘Tagging’

A list of actions

policy_sentry.querying.actions.get_actions_with_arn_type_and_access_level(service_prefix, resource_type_name, access_level)

Get a list of actions in a service under different access levels, specific to an ARN format.

  • service_prefix – A single AWS service prefix, like s3 or kms
  • resource_type_name – The ARN type name, like bucket or key
  • access_level – Access level like “Read” or “List” or “Permissions management”

A list of actions


Given a list of IAM Actions, query the database to determine if the action has dependent actions in the fifth column of the Resources, Actions, and Condition keys tables. If it does, add the dependent actions to the list, and return the updated list.

It includes the original action in there as well. So, if you supply kms:CreateCustomKeyStore, it will give you kms:CreateCustomKeyStore as well as cloudhsm:DescribeClusters

To get dependent actions for a single given IAM action, just provide the action as a list with one item, like this: get_dependent_actions(db_session, [‘kms:CreateCustomKeystore’])

Parameters:actions_list – A list of actions to use in querying the database for dependent actions
Returns:Updated list of actions, including dependent actions if applicable.
policy_sentry.querying.actions.get_privilege_info(service, action)

Given a service, like “s3” and an action, like “ListBucket” return the info from the docs about that action, along with some of the info from the docs

policy_sentry.querying.actions.remove_actions_not_matching_access_level(actions_list, access_level)

Given a list of actions, return a list of actions that match an access level

  • actions_list – A list of actions
  • access_level – ‘read’, ‘write’, ‘list’, ‘tagging’, or ‘permissions-management’

Updated list of actions, where the actions not matching the requested access level are removed.


Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.

Parameters:actions_list – A list of actions
Returns:An updated list of actions
Return type:list


Methods that execute specific queries against the SQLite database for the ARN table. This supports the policy_sentry query functionality

policy_sentry.querying.arns.get_arn_data(service_prefix, resource_type_name)

Get details about ARNs in JSON format.

  • service_prefix – An AWS service prefix, like s3 or kms
  • resource_type_name – The name of a resource type, like bucket or object. To get details on ALL arns in a service, specify “*” here.

Metadata about an ARN type

policy_sentry.querying.arns.get_arn_type_details(service_prefix, resource_type_name)

Get details about ARNs in JSON format.

  • service_prefix – An AWS service prefix, like s3 or kms
  • resource_type_name – The name of a resource type, like bucket or object. To get details on ALL arns in a service, specify “*” here.

Metadata about an ARN type


Get a list of available ARN short names per AWS service.

Parameters:service_prefix – An AWS service prefix, like s3 or kms
Returns:A list of ARN types, like bucket or object

Given a user-supplied ARN, return the raw_arn since that is used as a unique identifier throughout this library

Parameters:arn – The user-supplied arn, like arn:aws:s3:::mybucket
Returns:The raw ARN stored in the database, like ‘arn:${Partition}:s3:::${BucketName}’

Get a list of available raw ARNs per AWS service

Parameters:service_prefix – An AWS service prefix, like s3 or kms
Returns:A list of raw ARNs

Given a raw ARN, return the resource type name as shown in the database.

Parameters:raw_arn – The raw ARN stored in the database, like ‘arn:${Partition}:s3:::${BucketName}’
Returns:The resource type name, like bucket


Methods that execute specific queries against the SQLite database for the CONDITIONS table. This supports the policy_sentry query functionality

policy_sentry.querying.conditions.get_condition_key_details(service_prefix, condition_key_name)

Get details about a specific condition key in JSON format

  • service_prefix – An AWS service prefix, like ec2 or kms
  • condition_key_name – The name of a condition key, like ec2:Vpc

Metadata about the condition key


Get a list of condition keys available to a RAW ARN

Parameters:raw_arn – The value in the database, like arn:${Partition}:s3:::${BucketName}/${ObjectName}

Get a list of available conditions per AWS service

Parameters:service_prefix – An AWS service prefix, like s3 or kms
Returns:A list of condition keys

Get the data type of the condition key - like Date, String, etc. :param condition_key: A condition key, like a4b:filters_deviceType :return:

policy_sentry.querying.conditions.get_conditions_for_action_and_raw_arn(action, raw_arn)

Get a list of conditions available to an action.

  • action – The IAM action, like s3:GetObject
  • raw_arn – The raw ARN format specific to the action