bp-check/services/iam.py

84 lines
2.7 KiB
Python
Raw Normal View History

2024-08-05 02:30:34 +00:00
from models import RuleCheckResult
import boto3
2024-08-07 02:39:51 +00:00
client = boto3.client("iam")
2024-08-05 02:30:34 +00:00
def iam_policy_no_statements_with_admin_access():
2024-08-07 02:39:51 +00:00
compliant_resource = []
non_compliant_resources = []
policies = client.list_policies(Scope="Local")["Policies"]
for policy in policies:
policy_version = client.get_policy_version(PolicyArn=policy["Arn"], VersionId=policy["DefaultVersionId"])[
"PolicyVersion"
]
2024-08-07 09:59:01 +00:00
for statement in policy_version["Document"]["Statement"]:
if (
statement["Action"] == "*"
and statement["Resource"] == "*"
and statement["Effect"] == "Allow"
):
non_compliant_resources.append(policy["Arn"])
break
2024-08-07 02:39:51 +00:00
else:
2024-08-07 09:59:01 +00:00
compliant_resource.append(policy["Arn"])
2024-08-07 02:39:51 +00:00
2024-08-05 02:30:34 +00:00
return RuleCheckResult(
2024-08-07 02:39:51 +00:00
passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
2024-08-05 02:30:34 +00:00
)
def iam_policy_no_statements_with_full_access():
2024-08-07 02:39:51 +00:00
compliant_resource = []
non_compliant_resources = []
policies = client.list_policies(Scope="Local")["Policies"]
for policy in policies:
policy_version = client.get_policy_version(PolicyArn=policy["Arn"], VersionId=policy["DefaultVersionId"])[
"PolicyVersion"
]
for statement in policy_version["Document"]["Statement"]:
2024-08-07 09:59:01 +00:00
if statement["Effect"] == "Deny":
continue
if type(statement["Action"]) == str:
statement["Action"] = [statement["Action"]]
full_access_actions = [action for action in statement["Action"] if action.endswith(":*")]
if full_access_actions:
non_compliant_resources.append(policy["Arn"])
2024-08-07 02:39:51 +00:00
break
else:
compliant_resource.append(policy["Arn"])
2024-08-05 02:30:34 +00:00
return RuleCheckResult(
2024-08-07 02:39:51 +00:00
passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
2024-08-05 02:30:34 +00:00
)
def iam_role_managed_policy_check():
2024-08-07 02:39:51 +00:00
compliant_resource = []
non_compliant_resources = []
policy_arns = [] # 검사할 managed policy arn 목록
for policy in policy_arns:
response = client.list_entities_for_policy(PolicyArn=policy)
if response["PolicyGroups"] == [] and response["PolicyUsers"] == [] and response["PolicyRoles"] == []:
non_compliant_resources.append(policy)
else:
compliant_resource.append(policy)
2024-08-05 02:30:34 +00:00
return RuleCheckResult(
2024-08-07 02:39:51 +00:00
passed=not compliant_resource,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
2024-08-05 02:30:34 +00:00
)