Fixes #104 - where inline policies were showing up as findings even when they were attached to excluded IAM principals (#105)

Author: kmcquade

CHANGELOG.md

@@ -3,6 +3,9 @@
 ## Unreleased
 * Docker
 
+## 0.2.1 (9/25/2020)
+* Fixes issue where Inline Policies were showing up as findings even when they were attached to excluded IAM principals. Fixes #104
+
 ## 0.2.0 (9/21/2020)
 * Major UI uplift: 
   * Added Bar chart of results

cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.2.0"
+__version__ = "0.2.1"

cloudsplaining/scan/group_details.py

@@ -100,18 +100,23 @@ def __init__(self, group_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS):
 
         # Inline Policies
         self.inline_policies = []
-        if group_detail.get("GroupPolicyList"):
-            self._inline_policies_details(
-                group_detail.get("GroupPolicyList")
-            )
+        # If the group itself is NOT excluded, add its inline policies
+        if not self.is_excluded:
+            if group_detail.get("GroupPolicyList"):
+                for policy in group_detail.get("GroupPolicyList"):
+                    inline_policy = InlinePolicy(policy)
+                    if not inline_policy.is_excluded:
+                        self.inline_policies.append(inline_policy)
 
         # Managed Policies (either AWS-managed or Customer managed)
         self.attached_managed_policies = []
-        if group_detail.get("AttachedManagedPolicies"):
-            self._attached_managed_policies_details(
-                group_detail.get("AttachedManagedPolicies"),
-                policy_details
-            )
+        # If the group itself is NOT excluded, add its AWS-managed or Customer-managed policies
+        if not self.is_excluded:
+            if group_detail.get("AttachedManagedPolicies"):
+                for policy in group_detail.get("AttachedManagedPolicies"):
+                    arn = policy.get("PolicyArn")
+                    attached_managed_policy_details = policy_details.get_policy_detail(arn)
+                    self.attached_managed_policies.append(attached_managed_policy_details)
 
     def _is_excluded(self, exclusions):
         """Determine whether the principal name or principal ID is excluded"""
@@ -121,17 +126,6 @@ def _is_excluded(self, exclusions):
             or exclusions.is_principal_excluded(self.path, "Group")
         )
 
-    def _attached_managed_policies_details(self, attached_managed_policies_list, policy_details):
-        for policy in attached_managed_policies_list:
-            arn = policy.get("PolicyArn")
-            attached_managed_policy_details = policy_details.get_policy_detail(arn)
-            self.attached_managed_policies.append(attached_managed_policy_details)
-
-    def _inline_policies_details(self, group_policies_list):
-        for policy in group_policies_list:
-            inline_policy = InlinePolicy(policy)
-            self.inline_policies.append(inline_policy)
-
     @property
     def all_allowed_actions(self):
         """Return a list of which actions are allowed by the principal"""

cloudsplaining/scan/role_details.py

@@ -114,18 +114,23 @@ def __init__(self, role_detail, policy_details, exclusions=DEFAULT_EXCLUSIONS):
 
         # Inline Policies
         self.inline_policies = []
-        if role_detail.get("RolePolicyList"):
-            self._inline_policies_details(
-                role_detail.get("RolePolicyList")
-            )
+        # If the role itself is NOT excluded, add its inline policies
+        if not self.is_excluded:
+            if role_detail.get("RolePolicyList"):
+                for policy in role_detail.get("RolePolicyList"):
+                    inline_policy = InlinePolicy(policy)
+                    if not inline_policy.is_excluded:
+                        self.inline_policies.append(inline_policy)
 
         # Managed Policies (either AWS-managed or Customer managed)
         self.attached_managed_policies = []
-        if role_detail.get("AttachedManagedPolicies"):
-            self._attached_managed_policies_details(
-                role_detail.get("AttachedManagedPolicies"),
-                policy_details
-            )
+        # If the role itself is NOT excluded, add its AWS-managed or Customer-managed policies
+        if not self.is_excluded:
+            if role_detail.get("AttachedManagedPolicies"):
+                for policy in role_detail.get("AttachedManagedPolicies"):
+                    arn = policy.get("PolicyArn")
+                    attached_managed_policy_details = policy_details.get_policy_detail(arn)
+                    self.attached_managed_policies.append(attached_managed_policy_details)
 
     def _is_excluded(self, exclusions):
         """Determine whether the principal name or principal ID is excluded"""
@@ -136,19 +141,6 @@ def _is_excluded(self, exclusions):
             or is_name_excluded(self.path, "/aws-service-role*")
         )
 
-    def _attached_managed_policies_details(self, attached_managed_policies_list, policy_details):
-        if attached_managed_policies_list:
-            for policy in attached_managed_policies_list:
-                arn = policy.get("PolicyArn")
-                attached_managed_policy_details = policy_details.get_policy_detail(arn)
-                self.attached_managed_policies.append(attached_managed_policy_details)
-
-    def _inline_policies_details(self, group_policies_list):
-        if group_policies_list:
-            for policy in group_policies_list:
-                inline_policy = InlinePolicy(policy)
-                self.inline_policies.append(inline_policy)
-
     @property
     def all_allowed_actions(self):
         """Return a list of which actions are allowed by the principal"""

cloudsplaining/scan/user_details.py

@@ -106,18 +106,23 @@ def __init__(self, user_detail, policy_details, all_group_details, exclusions=DE
 
         # Inline Policies
         self.inline_policies = []
-        if user_detail.get("UserPolicyList"):
-            self._inline_policies_details(
-                user_detail.get("UserPolicyList")
-            )
+        # If the user itself is NOT excluded, add its inline policies
+        if not self.is_excluded:
+            if user_detail.get("UserPolicyList"):
+                for policy in user_detail.get("UserPolicyList"):
+                    inline_policy = InlinePolicy(policy)
+                    if not inline_policy.is_excluded:
+                        self.inline_policies.append(inline_policy)
 
         # Managed Policies (either AWS-managed or Customer managed)
         self.attached_managed_policies = []
-        if user_detail.get("AttachedManagedPolicies"):
-            self._attached_managed_policies_details(
-                user_detail.get("AttachedManagedPolicies"),
-                policy_details
-            )
+        # If the user itself is NOT excluded, add its AWS-managed or Customer-managed policies
+        if not self.is_excluded:
+            if user_detail.get("AttachedManagedPolicies"):
+                for policy in user_detail.get("AttachedManagedPolicies"):
+                    arn = policy.get("PolicyArn")
+                    attached_managed_policy_details = policy_details.get_policy_detail(arn)
+                    self.attached_managed_policies.append(attached_managed_policy_details)
 
     def _is_excluded(self, exclusions):
         """Determine whether the principal name or principal ID is excluded"""
@@ -132,17 +137,6 @@ def _add_group_details(self, group_list, all_group_details):
             this_group_detail = all_group_details.get_group_detail(group)
             self.groups.append(this_group_detail)
 
-    def _attached_managed_policies_details(self, attached_managed_policies_list, policy_details):
-        for policy in attached_managed_policies_list:
-            arn = policy.get("PolicyArn")
-            attached_managed_policy_details = policy_details.get_policy_detail(arn)
-            self.attached_managed_policies.append(attached_managed_policy_details)
-
-    def _inline_policies_details(self, group_policies_list):
-        for policy in group_policies_list:
-            inline_policy = InlinePolicy(policy)
-            self.inline_policies.append(inline_policy)
-
     @property
     def all_allowed_actions(self):
         """Return a list of which actions are allowed by the principal"""

index.html

@@ -34,106 +34,23 @@
     example_principal_policy_mapping = json.load(json_file)
 
 
-class PolicyFileTestCase(unittest.TestCase):
-    # def test_output_html_output_as_string(self):
-    #     example_authz_details_file = os.path.abspath(
-    #         os.path.join(
-    #             os.path.dirname(__file__),
-    #             os.path.pardir,
-    #             "files",
-    #             "example-authz-details.json",
-    #         )
-    #     )
-    #     with open(example_authz_details_file, "r") as json_file:
-    #         cfg = json.load(json_file)
-    #         decision = check_authorization_details_schema(cfg)
-    #     self.assertTrue(decision)
-    #     # TODO: These values are just for testing
-    #     account_authorization_details_cfg = cfg
-    #     exclusions = DEFAULT_EXCLUSIONS
-    #
-    #     authorization_details = AuthorizationDetails(account_authorization_details_cfg)
-    #     results = authorization_details.missing_resource_constraints(
-    #         exclusions, modify_only=True
-    #     )
-    #
-    #     principal_policy_mapping = authorization_details.principal_policy_mapping
-    #     # For the IAM Principals tab, add on risk stats per principal
-    #     for principal_policy_entry in principal_policy_mapping:
-    #         for finding in results:
-    #             if principal_policy_entry.get("PolicyName").lower() == finding.get("PolicyName").lower():
-    #                 principal_policy_entry["Actions"] = len(finding["Actions"])
-    #                 principal_policy_entry["PrivilegeEscalation"] = len(
-    #                     finding["PrivilegeEscalation"]
-    #                 )
-    #                 principal_policy_entry["DataExfiltration"] = len(
-    #                     finding["DataExfiltration"]
-    #                 )
-    #                 principal_policy_entry["ResourceExposure"] = len(
-    #                     finding["ResourceExposure"]
-    #                 )
-    #                 principal_name = principal_policy_entry["Principal"]
-    #                 # Customer Managed Policies
-    #                 if finding.get("Type") == "Policy" and finding.get(
-    #                     "ManagedBy") == "Customer" and principal_policy_entry.get("Type") != "Policy":
-    #                     if "Principals" not in finding:
-    #                         finding["Principals"] = [principal_name]
-    #                     else:
-    #                         if principal_name not in finding["Principals"]:
-    #                             finding["Principals"].append(principal_name)
-    #
-    #                 # AWS Managed Policies
-    #                 if finding.get("Type") == "Policy" and finding.get("ManagedBy") == "AWS":
-    #                     if "Principals" not in finding:
-    #                         finding["Principals"] = [principal_name]
-    #                     else:
-    #                         if principal_name not in finding["Principals"]:
-    #                             finding["Principals"].append(principal_name)
-    #
-    #     # Lazy method to get an account ID
-    #     account_id = None
-    #     for item in results:
-    #         if item["ManagedBy"] == "Customer":
-    #             account_id = item["AccountID"]
-    #             break
-    #
-    #     html_report = HTMLReport(
-    #         account_id=account_id,
-    #         account_name="CHANGEME",
-    #         results=results,
-    #     )
-    #     rendered_report = html_report.get_html_report()
-    #     # print(rendered_report)
-    #     # test_report_path = os.path.join(
-    #     #     os.getcwd(),
-    #     #     os.path.pardir,
-    #     #     os.path.pardir,
-    #     #     "tmp",
-    #     #     "testing_new_html_report.html"
-    #     # )
-    #     # with open(test_report_path, "w") as file:
-    #     #     file.write(rendered_report)
-    #     # print("Opening the HTML report")
-    #     # url = "file://%s" % os.path.abspath(test_report_path)
-    #     # webbrowser.open(url, new=2)
-
-
-    def test_scan_authz_details_and_output_html_as_string(self):
-        example_authz_details_file = os.path.abspath(
-            os.path.join(
-                os.path.dirname(__file__),
-                os.path.pardir,
-                "files",
-                "example-authz-details.json",
-            )
-        )
-        with open(example_authz_details_file, "r") as json_file:
-            cfg = json.load(json_file)
-            decision = check_authorization_details_schema(cfg)
-        self.assertTrue(decision)
-
-        rendered_html_report = scan_account_authorization_details(
-            cfg, DEFAULT_EXCLUSIONS, account_name="Something", output_directory=os.getcwd(),
-            write_data_files=False
-        )
-        # print(rendered_html_report)
+# class PolicyFileTestCase(unittest.TestCase):
+#     def test_scan_authz_details_and_output_html_as_string(self):
+#         example_authz_details_file = os.path.abspath(
+#             os.path.join(
+#                 os.path.dirname(__file__),
+#                 os.path.pardir,
+#                 "files",
+#                 "example-authz-details.json",
+#             )
+#         )
+#         with open(example_authz_details_file, "r") as json_file:
+#             cfg = json.load(json_file)
+#             decision = check_authorization_details_schema(cfg)
+#         self.assertTrue(decision)
+#
+#         rendered_html_report = scan_account_authorization_details(
+#             cfg, DEFAULT_EXCLUSIONS, account_name="Something", output_directory=os.getcwd(),
+#             write_data_files=False
+#         )
+#         # print(rendered_html_report)

test/command/test_scan.py

@@ -65,19 +65,8 @@
         }
       },
       "path": "/",
-      "customer_managed_policies": {
-        "InsecurePolicy": "InsecurePolicy",
-        "NotYourPolicy": "NotYourPolicy"
-      },
-      "aws_managed_policies": {
-        "ANPAIWMBCKSKIEE64ZLYK": "AdministratorAccess",
-        "ANPAIFIR6V6BVTRAHWINE": "AmazonS3FullAccess",
-        "ANPAI3VAJF5ZCRZ7MCQE6": "AmazonEC2FullAccess",
-        "ANPAIQNUJTQYDRJPC3BNK": "AWSCloudTrailFullAccess",
-        "ANPAI4VCZ3XPIZLQ5NZV2": "AWSCodeCommitFullAccess",
-        "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess",
-        "ANPAIKEABORKUXN6DEAZU": "CloudWatchFullAccess"
-      },
+      "customer_managed_policies": {},
+      "aws_managed_policies": {},
       "is_excluded": true
     },
     "ASIAZZUSERZZPLACEHOLDER": {
@@ -143,17 +132,12 @@
       "create_date": "2019-08-16 17:27:59+00:00",
       "id": "MyRole",
       "name": "MyRole",
-      "inline_policies": {
-        "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca": "EC2-IAM-example"
-      },
+      "inline_policies": {},
       "instance_profiles": [],
       "instances_count": 0,
       "path": "/",
       "customer_managed_policies": {},
-      "aws_managed_policies": {
-        "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess",
-        "ANPAIKEABORKUXN6DEAZU": "CloudWatchFullAccess"
-      },
+      "aws_managed_policies": {},
       "is_excluded": true
     },
     "MyOtherRole": {
@@ -12905,7 +12889,7 @@
       "is_excluded": false
     },
     "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca": {
-      "PolicyName": "EC2-IAM-example",
+      "PolicyName": "MyOtherRolePolicy",
       "PolicyId": "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca",
       "PolicyDocument": {
         "Version": "2012-10-17",