pmh_only/bp-check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add more strict checks

Browse Source
This commit is contained in:
skyuecx0630 2024-08-07 18:59:01 +09:00
parent c526d2571f
commit cfba14961f
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
services/iam.py
View File

@ -15,10 +15,16 @@ def iam_policy_no_statements_with_admin_access():
"PolicyVersion" "PolicyVersion"
] ]
if "'Effect': 'Allow', 'Action': '*', 'Resource': '*'" not in str(policy_version["Document"]): for statement in policy_version["Document"]["Statement"]:
compliant_resource.append(policy["Arn"]) if (
statement["Action"] == "*"
and statement["Resource"] == "*"
and statement["Effect"] == "Allow"
):
non_compliant_resources.append(policy["Arn"])
break
else: else:
non_compliant_resources.append(policy["Arn"]) compliant_resource.append(policy["Arn"])
return RuleCheckResult( return RuleCheckResult(
passed=not non_compliant_resources, passed=not non_compliant_resources,
@ -37,14 +43,16 @@ def iam_policy_no_statements_with_full_access():
"PolicyVersion" "PolicyVersion"
] ]
escape = False
for statement in policy_version["Document"]["Statement"]: for statement in policy_version["Document"]["Statement"]:
for action in statement["Action"]: if statement["Effect"] == "Deny":
if action.endswith(":*"): continue
non_compliant_resources.append(policy["Arn"])
escape = True if type(statement["Action"]) == str:
break statement["Action"] = [statement["Action"]]
if escape == True:
full_access_actions = [action for action in statement["Action"] if action.endswith(":*")]
if full_access_actions:
non_compliant_resources.append(policy["Arn"])
break break
else: else:
compliant_resource.append(policy["Arn"]) compliant_resource.append(policy["Arn"])