querying.actions
querying.actions
See the examples under https://github.com/salesforce/policy_sentry/tree/master/examples/library-usage/querying
Methods that execute specific queries against the database for the ACTIONS table. This supports the Policy Sentry query functionality
get_actions_at_access_level_that_support_wildcard_arns_only(service_prefix, access_level)
Get a list of actions at an access level that do not support restricting the action to resource ARNs. Set service to "all" to get a list of actions across all services.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix, like |
required |
access_level |
|
An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging' |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions at that access level that do not support resource ARN constraints |
get_actions_matching_arn(arn)
Given a user-supplied ARN, get a list of all actions that correspond to that ARN.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
arn |
|
A user-supplied arn |
required |
Returns:
Type | Description |
---|---|
List |
A list of all actions that can match it. |
get_actions_matching_arn_type(service_prefix, resource_type_name)
Get a list of actions in a service specific to ARN type.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix, like |
required |
resource_type_name |
|
The ARN type name, like |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions that have that ARN type |
get_actions_matching_condition_key(service_prefix, condition_key)
Get a list of actions under a service that allow the use of a specified condition key
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix |
required |
condition_key |
|
The condition key to look for. |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions |
get_actions_that_support_wildcard_arns_only(service_prefix)
Get a list of actions that do not support restricting the action to resource ARNs. Set service to "all" to get a list of actions across all services.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix, like |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions that do not support resource ARN constraints |
get_actions_with_access_level(service_prefix, access_level)
Get a list of actions in a service under different access levels.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix, like |
required |
access_level |
|
An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging' |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions with that access level and service prefix |
get_actions_with_arn_type_and_access_level(service_prefix, resource_type_name, access_level)
Get a list of actions in a service under different access levels, specific to an ARN format.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
A single AWS service prefix, like |
required |
resource_type_name |
|
The ARN type name, like |
required |
access_level |
|
Access level like "Read" or "List" or "Permissions management" |
required |
Returns:
Type | Description |
---|---|
List |
A list of actions that have that ARN type and Access level |
get_dependent_actions(actions_list)
Given a list of IAM Actions, query the database to determine if the action has dependent actions in the fifth column of the Resources, Actions, and Condition keys tables. If it does, add the dependent actions to the list, and return the updated list.
It includes the original action in there as well. So, if you supply kms:CreateCustomKeyStore
, it will give you kms:CreateCustomKeyStore
as well as cloudhsm:DescribeClusters
To get dependent actions for a single given IAM action, just provide the action as a list with one item, like this:
get_dependent_actions(db_session, ['kms:CreateCustomKeystore'])
Parameters:
Name | Type | Description | Default |
---|---|---|---|
actions_list |
|
A list of actions to use in querying the database for dependent actions |
required |
Returns:
Type | Description |
---|---|
List |
Updated list of actions, including dependent actions if applicable. |
get_privilege_info(service_prefix, action)
Given a service, like s3
and an action name, like ListBucket
, return info about that action.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
service_prefix |
|
The service prefix, like |
required |
action |
|
An action name, like |
required |
Returns:
Type | Description |
---|---|
List |
The info from the docs about that action, along with some of the info from the docs |
remove_actions_not_matching_access_level(actions_list, access_level)
Given a list of actions, return a list of actions that match an access level
Parameters:
Name | Type | Description | Default |
---|---|---|---|
actions_list |
|
A list of actions |
required |
access_level |
|
'read', 'write', 'list', 'tagging', or 'permissions-management' |
required |
Returns:
Type | Description |
---|---|
List |
An Updated list of actions, where the actions not matching the requested access level are removed. |
remove_actions_that_are_not_wildcard_arn_only(actions_list)
Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
actions_list |
|
A list of actions |
required |
Returns:
Type | Description |
---|---|
List |
An updated list of actions |