Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM policy statement search facility #2749

Closed
clintoncwolfe opened this issue Feb 27, 2018 · 1 comment
Closed

AWS IAM policy statement search facility #2749

clintoncwolfe opened this issue Feb 27, 2018 · 1 comment
Assignees
@clintoncwolfe
Labels
Platform: AWS Amazon Web Services-related issues

Comments

@clintoncwolfe
Copy link
Contributor

clintoncwolfe commented Feb 27, 2018
edited
Loading

🎛 Description

Several IAM and S3 resources support inline policies. Additionally, there are self-contained IAM policies, which may be attached to IAM users, groups, and roles. Policies are composed of a list of Statements, each with certain well-formed properties. You can read about the data structure in the AWS docs.

Many use cases require determining whether a particular statement is present in a policy (or not). A very rich example is CIS AWS Benchmark v1.1, Recommendation 1.18, which requires a long list of statements to be in effect on a Role - but does not specify if they are to be an inline policy or an attached policy.

🌍 InSpec and Platform Version

2.0.26

💁 Possible Solutions

Suppose my-policy looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
}

Possible proposed syntax:

describe aws_iam_policy('my-policy') do
  # We'd have to override include here, since we would want subset hash matching, not exact
  its('statements') { should_not include(Effect: 'Allow', Action: '*') }
  # Or...
  it { should have_statement(Effect: 'Allow', Action: '*') }
  # Actions, Resources, and Conditions can all take a single element as a string, or allow an array.
  # How would we handle that?
  # I'd think this should evaluate true - which means we can't just do a simple hash comparison.
  it { should have_statement(Action: 's3:GetBucketLocation') }
end

So, an IAM policy has its policy baked into it. Other resources (IAM users, groups, roles, S3 buckets...) support inline policies as well; it makes sense then to push the has_statement? matcher out to a mixin, or a similar solution.

It's less clear to me what to when you need to know if a statement is in effect on a resource that may also have policies attached to it. Assuming that (say) in aws_iam_role is able to enumerate its attached policies by ARN, does the InSpec user then have to fetch any attached policies and examine them, as well?

Refs #2748 #2584 #2562
@clintoncwolfe clintoncwolfe added feature request Platform: AWS Amazon Web Services-related issues labels Feb 27, 2018
@clintoncwolfe clintoncwolfe self-assigned this Mar 26, 2018
@clintoncwolfe
Copy link
Contributor Author

Work underway on branch cw/aws-policy-search

This was referenced Apr 5, 2018
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clintoncwolfe clintoncwolfe

Labels
Platform: AWS Amazon Web Services-related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clintoncwolfe