Add more strict checks

This commit is contained in:
skyuecx0630 2024-08-07 18:59:01 +09:00
parent c526d2571f
commit cfba14961f

View File

@ -15,10 +15,16 @@ def iam_policy_no_statements_with_admin_access():
"PolicyVersion" "PolicyVersion"
] ]
if "'Effect': 'Allow', 'Action': '*', 'Resource': '*'" not in str(policy_version["Document"]): for statement in policy_version["Document"]["Statement"]:
compliant_resource.append(policy["Arn"]) if (
else: statement["Action"] == "*"
and statement["Resource"] == "*"
and statement["Effect"] == "Allow"
):
non_compliant_resources.append(policy["Arn"]) non_compliant_resources.append(policy["Arn"])
break
else:
compliant_resource.append(policy["Arn"])
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
@ -37,14 +43,16 @@ def iam_policy_no_statements_with_full_access():
"PolicyVersion" "PolicyVersion"
] ]
escape = False
for statement in policy_version["Document"]["Statement"]: for statement in policy_version["Document"]["Statement"]:
for action in statement["Action"]: if statement["Effect"] == "Deny":
if action.endswith(":*"): continue
if type(statement["Action"]) == str:
statement["Action"] = [statement["Action"]]
full_access_actions = [action for action in statement["Action"] if action.endswith(":*")]
if full_access_actions:
non_compliant_resources.append(policy["Arn"]) non_compliant_resources.append(policy["Arn"])
escape = True
break
if escape == True:
break break
else: else:
compliant_resource.append(policy["Arn"]) compliant_resource.append(policy["Arn"])