Merge pull request #68 from kmcquade/fix/GH-63-duplicate-inline-policy-names-and-attached-principals

Fixes #63 - Attached to Principals is now included in the finding card

Author: kmcquade

cloudsplaining/command/scan.py

@@ -83,9 +83,25 @@ def scan(
         with open(input) as f:
             contents = f.read()
             account_authorization_details_cfg = json.loads(contents)
-        scan_account_authorization_details(
+        rendered_html_report = scan_account_authorization_details(
             account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True
         )
+        html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+        logger.info("Saving the report to %s", html_output_file)
+        if os.path.exists(html_output_file):
+            os.remove(html_output_file)
+
+        with open(html_output_file, "w") as f:
+            f.write(rendered_html_report)
+
+        print(f"Wrote HTML results to: {html_output_file}")
+
+        # Open the report by default
+        if not skip_open_report:
+            print("Opening the HTML report")
+            url = "file://%s" % os.path.abspath(html_output_file)
+            webbrowser.open(url, new=2)
+
     if os.path.isdir(input):
         logger.info(
             "The path given is a directory. Scanning for account authorization files and generating report."
@@ -103,6 +119,9 @@ def scan(
                 account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True
             )
             html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+            logger.info("Saving the report to %s", html_output_file)
+            if os.path.exists(html_output_file):
+                os.remove(html_output_file)
 
             with open(html_output_file, "w") as f:
                 f.write(rendered_html_report)

cloudsplaining/output/templates/analysis/finding-card/names.html

@@ -1,9 +1,29 @@
 <div class="card">
-  <h6 class="card-header" id="{{ finding['PolicyName'] }}">
+  <h6 class="card-header" id="{{ finding['PolicyName'] }}{% if finding['AttachedToPrincipal'] %}{{ finding['AttachedToPrincipal'] }}{% endif %}">
     Name: {{ finding["PolicyName"] }}
     <br>
     <br>
     Type: {% if finding["Type"] == "Policy" %}{{ finding["ManagedBy"] }}-Managed {{ finding["Type"] }}{% else %}Inline {{ finding["Type"] }} Policy{% endif %}
+  {% if finding["Type"] == "Policy" %}
+  {% if "Principals" in finding %}
+<br>
+<br>
+    Attached to Principal(s):
+{% for principal in finding["Principals"] %}
+<br>
+- {{ principal }}{% endfor %}
+{% endif %}
+<!--/Policies Attached to principals-->
+  {% else %}
+<!--Inline Policies - identify which ones are attached to which principal-->
+<!--This will only apply if finding["Type"] != "Policy"-->
+  {% if finding["AttachedToPrincipal"] %}
+<br>
+<br>
+Attached to Principal: {{ finding["AttachedToPrincipal"] }}
+  {% endif %}
+{% endif %}
+<!--/end AttachedToPrincipal-->
   </h6>
     <div class="card-body">
     <p class="card-text">

cloudsplaining/output/templates/summary/aws-managed.html

@@ -31,7 +31,7 @@
     {% if finding["ManagedBy"] == "AWS" %}
       <tr>
         <td></td>
-        <td><a href="#{{ finding['PolicyName'] }}">{{ finding['PolicyName'] }}</a></td>
+        <td><a href="#{{ finding['PolicyName'] }}{% if finding['AttachedToPrincipal'] %}{{ finding['AttachedToPrincipal'] }}{% endif %}">{{ finding['PolicyName'] }}</a></td>
         <td>{{ finding["ServicesCount"] }}</td>
         <td><p style="max-height: 100px; overflow: scroll;">{% for service in finding["Services"] %}{{ service }}{% if not loop.last %}, {% endif %}{% endfor %}</p></td>
         <td>{{ finding["ActionsCount"] }}</td>

cloudsplaining/output/templates/summary/customer-managed.html

@@ -1,9 +1,9 @@
 <br>
 <p style="text-align: justify">
-  The following table shows a list of Customer created IAM Policies that are currently used in the account - both <a href="#definition-managed-policy">Managed Policies</a> and <a href="#definition-inline-policy">Inline Policies</a>. If the policy is an inline policy, the table indicates the <a href="#definition-principal">IAM Principal</a> that the inline policy is associated with. It only includes policies that (1) have findings and (2) are currently used in the account.   If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-infrastructure-modification">Infrastructure Modification</a>, <a href="#definition-privilege-escalation">Privilege Escalation</a>,  <a href="#definition-resource-exposure">Resource Exposure</a>, or <a href="#definition-data-exfiltration">Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table. <b>If there are no findings for a particular policy, or if the policy is not attached to any IAM Principals, then the policy is not included in the findings.</b>
+  The following table shows a list of Customer created IAM Policies that are currently used in the account - both <a href="#definition-managed-policy">Managed Policies</a> and <a href="#definition-inline-policy">Inline Policies</a>. If the policy is an inline policy, the table indicates the <a href="#definition-principal">IAM Principal</a> that the inline policy is associated with. It only includes policies that (1) have findings and (2) are currently used in the account.
   <br>
   <br>
-  If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-privilege-escalation" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Privilege Escalation" data-content='<p>These policies allow a combination of IAM actions that allow a principal with these permissions to escalate their privileges - for example, by creating an access key for another IAM user, or modifying their own permissions. This research was pioneered by Spencer Gietzen at Rhino Security Labs.  Remediation guidance can be found <a href="https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/">here</a>.</p>'>Privilege Escalation</a>, <a href="#definition-resource-exposure" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Resource Exposure" data-content='<p>Resource Exposure actions allow modification of Permissions to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html">resource-based policies</a> or otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure - for example, the ability to modify <a href="https://docs.aws.amazon.com/ram/latest/userguide/what-is.html">AWS Resource Access Manager</a>.</p>'>Resource Exposure</a>, <a href="#definition-infrastructure-modification" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Infrastructure Modification" data-content='<p>Infrastructure Modification describes IAM actions with "modify" capabilities, and can therefore lead to <a href="https://attack.mitre.org/techniques/T1496/">Resource Hijacking</a>, unauthorized creation of Infrastructure, Backdoor creation, and/or modification of existing resources which can result in downtime.</p>'>Infrastructure Modification</a>, and <a href="#definition-data-exfiltration" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Data Exfiltration" data-content='<div style="text-align:left"><p>Policies with Data Exfiltration potential allow certain read-only IAM actions without resource constraints, such as <code>s3:GetObject</code>, <code>ssm:GetParameter*</code>, or <code>secretsmanager:GetSecretValue</code>. <br> <ul> <li>Unrestricted <code>s3:GetObject</code> permissions has a long history of customer data leaks.</li> <li><code>ssm:GetParameter*</code> and <code>secretsmanager:GetSecretValue</code> are both used to access secrets.</li> <li><code>rds:CopyDBSnapshot</code> and <code>rds:CreateDBSnapshot</code> can be used to exfiltrate RDS database contents.</li> </ul></p></div>'>Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table.
+  If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-privilege-escalation" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Privilege Escalation" data-content='<p>These policies allow a combination of IAM actions that allow a principal with these permissions to escalate their privileges - for example, by creating an access key for another IAM user, or modifying their own permissions. This research was pioneered by Spencer Gietzen at Rhino Security Labs.  Remediation guidance can be found <a href="https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/">here</a>.</p>'>Privilege Escalation</a>, <a href="#definition-resource-exposure" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Resource Exposure" data-content='<p>Resource Exposure actions allow modification of Permissions to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html">resource-based policies</a> or otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure - for example, the ability to modify <a href="https://docs.aws.amazon.com/ram/latest/userguide/what-is.html">AWS Resource Access Manager</a>.</p>'>Resource Exposure</a>, <a href="#definition-infrastructure-modification" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Infrastructure Modification" data-content='<p>Infrastructure Modification describes IAM actions with "modify" capabilities, and can therefore lead to <a href="https://attack.mitre.org/techniques/T1496/">Resource Hijacking</a>, unauthorized creation of Infrastructure, Backdoor creation, and/or modification of existing resources which can result in downtime.</p>'>Infrastructure Modification</a>, and <a href="#definition-data-exfiltration" class="popovers" data-toggle="popover" data-html="true" data-placement="top" title="Data Exfiltration" data-content='<div style="text-align:left"><p>Policies with Data Exfiltration potential allow certain read-only IAM actions without resource constraints, such as <code>s3:GetObject</code>, <code>ssm:GetParameter*</code>, or <code>secretsmanager:GetSecretValue</code>. <br> <ul> <li>Unrestricted <code>s3:GetObject</code> permissions has a long history of customer data leaks.</li> <li><code>ssm:GetParameter*</code> and <code>secretsmanager:GetSecretValue</code> are both used to access secrets.</li> <li><code>rds:CopyDBSnapshot</code> and <code>rds:CreateDBSnapshot</code> can be used to exfiltrate RDS database contents.</li> </ul></p></div>'>Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table. <b>If there are no findings for a particular policy, or if the policy is not attached to any IAM Principals, then the policy is not included in the findings.</b>
   <br>
   <br>
   If the IAM principal is a Role and is <a href="#definition-roles-assumable-by-compute-services">assumable by a Compute Service</a> - <code>ec2</code>, <code>ecs-tasks</code>, <code>lambda</code>, or <code>eks</code> - then that is indicated in the table as well.
@@ -39,7 +39,7 @@
       <tr>
         <td></td>
         <td>{% if finding["Type"] == "Policy" %}{{ finding["ManagedBy"] }}-Managed {{ finding["Type"] }}{% else %}Inline {{ finding["Type"] }} Policy{% endif %}</td>
-        <td><a href="#{{ finding['PolicyName'] }}">{{ finding['PolicyName'] }}</a></td>
+        <td><a href="#{{ finding['PolicyName'] }}{% if finding['AttachedToPrincipal'] %}{{ finding['AttachedToPrincipal'] }}{% endif %}">{{ finding['PolicyName'] }}</a></td>
         <td>{% if finding["Type"] == "Policy" %}{% else %}{{ finding['Name'] }}{% endif %}</td>
         <td>{{ finding["ServicesCount"] }}</td>
         <td><p style="max-height: 100px; overflow: scroll;">{% for service in finding["Services"] %}{{ service }}{% if not loop.last %}, {% endif %}{% endfor %}</p></td>