xpk/code-dumps
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: Lambda and Ec2 role policy check now only scan for allowed actions

Browse Source
This commit is contained in:
xpk
2025-09-18 09:29:23 +08:00
parent 5572f61ab9
commit 4d29313b0d
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
aws/AwsEnvReview.py
+14 -7
View File
@@ -298,7 +298,6 @@ printResult(outTable, "AccountID, Type, Name")
"""Check Lambda role and IAM instance profile permissions""" """Check Lambda role and IAM instance profile permissions"""
printTitle(1, "Iam service review")
printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles") printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles")
printTitle(3, "Typically these roles should not have admin or iam permissions.") printTitle(3, "Typically these roles should not have admin or iam permissions.")
outTable = [] outTable = []
@@ -336,6 +335,12 @@ for role in roles:
roles = confirmed_roles roles = confirmed_roles
printTitle(3, f"Roles to be examined: {len(confirmed_roles)}") printTitle(3, f"Roles to be examined: {len(confirmed_roles)}")
# predefined actions which should not be granted
high_risk_actions = {
"*",
"iam:*"
}
# Check inline policies for each role # Check inline policies for each role
client = boto3.client('iam', region_name="us-east-1") client = boto3.client('iam', region_name="us-east-1")
for role in roles: for role in roles:
@@ -344,13 +349,14 @@ for role in roles:
response = client.get_role_policy(RoleName=role, PolicyName=policy_name) response = client.get_role_policy(RoleName=role, PolicyName=policy_name)
policy = response['PolicyDocument'] policy = response['PolicyDocument']
flat_actions = jmespath.search('Statement[].Action[]', policy) flat_actions = jmespath.search('Statement[?Effect=="Allow"].Action[]', policy)
if flat_actions is None: if flat_actions is None:
print(json.dumps(policy)) print(json.dumps(policy))
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"]) outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
else: else:
if "*" in flat_actions or "iam:*" in flat_actions: common = high_risk_actions.intersection(flat_actions)
outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"]) if len(common) >= 1:
outTable.append([aid, role, policy_name, f"Inline policy contains {common}, please review it"])
# Check managed policies for each role # Check managed policies for each role
for role in roles: for role in roles:
@@ -367,13 +373,14 @@ for role in roles:
version = client.get_policy_version(PolicyArn=policy_arn, VersionId=default_version_id) version = client.get_policy_version(PolicyArn=policy_arn, VersionId=default_version_id)
policy_document = version['PolicyVersion']['Document'] policy_document = version['PolicyVersion']['Document']
flat_actions = jmespath.search('Statement[].Action[]', policy_document) flat_actions = jmespath.search('Statement[?Effect=="Allow"].Action[]', policy_document)
if flat_actions is None: if flat_actions is None:
print(json.dumps(policy_document)) print(json.dumps(policy_document))
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"]) outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
else: else:
if "*" in flat_actions or "iam:*" in flat_actions: common = high_risk_actions.intersection(flat_actions)
outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"]) if len(common) >= 1:
outTable.append([aid, role, policy_name, f"Managed policy contains {common}, please review it"])
printResult(outTable, "AccountID, RoleName, PolicyName, Issue") printResult(outTable, "AccountID, RoleName, PolicyName, Issue")