From cfba14961f6aa7273d8a55e53cc0644dbb224a40 Mon Sep 17 00:00:00 2001 From: skyuecx0630 <48788794+skyuecx0630@users.noreply.github.com> Date: Wed, 7 Aug 2024 18:59:01 +0900 Subject: [PATCH] Add more strict checks --- services/iam.py | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/services/iam.py b/services/iam.py index 43fee51..d49b7af 100644 --- a/services/iam.py +++ b/services/iam.py @@ -15,10 +15,16 @@ def iam_policy_no_statements_with_admin_access(): "PolicyVersion" ] - if "'Effect': 'Allow', 'Action': '*', 'Resource': '*'" not in str(policy_version["Document"]): - compliant_resource.append(policy["Arn"]) + for statement in policy_version["Document"]["Statement"]: + if ( + statement["Action"] == "*" + and statement["Resource"] == "*" + and statement["Effect"] == "Allow" + ): + non_compliant_resources.append(policy["Arn"]) + break else: - non_compliant_resources.append(policy["Arn"]) + compliant_resource.append(policy["Arn"]) return RuleCheckResult( passed=not non_compliant_resources, @@ -37,14 +43,16 @@ def iam_policy_no_statements_with_full_access(): "PolicyVersion" ] - escape = False for statement in policy_version["Document"]["Statement"]: - for action in statement["Action"]: - if action.endswith(":*"): - non_compliant_resources.append(policy["Arn"]) - escape = True - break - if escape == True: + if statement["Effect"] == "Deny": + continue + + if type(statement["Action"]) == str: + statement["Action"] = [statement["Action"]] + + full_access_actions = [action for action in statement["Action"] if action.endswith(":*")] + if full_access_actions: + non_compliant_resources.append(policy["Arn"]) break else: compliant_resource.append(policy["Arn"])