Skip to content

querying.actions

querying.actions

See the examples under https://github.com/salesforce/policy_sentry/tree/master/examples/library-usage/querying

Methods that execute specific queries against the database for the ACTIONS table. This supports the Policy Sentry query functionality

get_actions_at_access_level_that_support_wildcard_arns_only(service_prefix, access_level)

Get a list of actions at an access level that do not support restricting the action to resource ARNs. Set service to "all" to get a list of actions across all services.

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix, like s3 or kms

required
access_level

An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging'

required

Returns:

Type Description
List

A list of actions at that access level that do not support resource ARN constraints

get_actions_matching_arn(arn)

Given a user-supplied ARN, get a list of all actions that correspond to that ARN.

Parameters:

Name Type Description Default
arn

A user-supplied arn

required

Returns:

Type Description
List

A list of all actions that can match it.

get_actions_matching_arn_type(service_prefix, resource_type_name)

Get a list of actions in a service specific to ARN type.

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix, like s3 or kms

required
resource_type_name

The ARN type name, like bucket or key

required

Returns:

Type Description
List

A list of actions that have that ARN type

get_actions_matching_condition_key(service_prefix, condition_key)

Get a list of actions under a service that allow the use of a specified condition key

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix

required
condition_key

The condition key to look for.

required

Returns:

Type Description
List

A list of actions

get_actions_that_support_wildcard_arns_only(service_prefix)

Get a list of actions that do not support restricting the action to resource ARNs. Set service to "all" to get a list of actions across all services.

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix, like s3 or kms

required

Returns:

Type Description
List

A list of actions that do not support resource ARN constraints

get_actions_with_access_level(service_prefix, access_level)

Get a list of actions in a service under different access levels.

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix, like s3 or kms

required
access_level

An access level as it is written in the database, such as 'Read', 'Write', 'List', 'Permisssions management', or 'Tagging'

required

Returns:

Type Description
List

A list of actions with that access level and service prefix

get_actions_with_arn_type_and_access_level(service_prefix, resource_type_name, access_level)

Get a list of actions in a service under different access levels, specific to an ARN format.

Parameters:

Name Type Description Default
service_prefix

A single AWS service prefix, like s3 or kms

required
resource_type_name

The ARN type name, like bucket or key

required
access_level

Access level like "Read" or "List" or "Permissions management"

required

Returns:

Type Description
List

A list of actions that have that ARN type and Access level

get_dependent_actions(actions_list)

Given a list of IAM Actions, query the database to determine if the action has dependent actions in the fifth column of the Resources, Actions, and Condition keys tables. If it does, add the dependent actions to the list, and return the updated list.

It includes the original action in there as well. So, if you supply kms:CreateCustomKeyStore, it will give you kms:CreateCustomKeyStore as well as cloudhsm:DescribeClusters

To get dependent actions for a single given IAM action, just provide the action as a list with one item, like this: get_dependent_actions(db_session, ['kms:CreateCustomKeystore'])

Parameters:

Name Type Description Default
actions_list

A list of actions to use in querying the database for dependent actions

required

Returns:

Type Description
List

Updated list of actions, including dependent actions if applicable.

get_privilege_info(service_prefix, action)

Given a service, like s3 and an action name, like ListBucket, return info about that action.

Parameters:

Name Type Description Default
service_prefix

The service prefix, like s3

required
action

An action name, like ListBucket

required

Returns:

Type Description
List

The info from the docs about that action, along with some of the info from the docs

remove_actions_not_matching_access_level(actions_list, access_level)

Given a list of actions, return a list of actions that match an access level

Parameters:

Name Type Description Default
actions_list

A list of actions

required
access_level

'read', 'write', 'list', 'tagging', or 'permissions-management'

required

Returns:

Type Description
List

An Updated list of actions, where the actions not matching the requested access level are removed.

remove_actions_that_are_not_wildcard_arn_only(actions_list)

Given a list of actions, remove the ones that CAN be restricted to ARNs, leaving only the ones that cannot.

Parameters:

Name Type Description Default
actions_list

A list of actions

required

Returns:

Type Description
List

An updated list of actions