FIX: Examination of Lambda and EC2 roles now work
This commit is contained in:
+29
-4
@@ -298,6 +298,7 @@ printResult(outTable, "AccountID, Type, Name")
|
||||
|
||||
|
||||
"""Check Lambda role and IAM instance profile permissions"""
|
||||
printTitle(1, "Iam service review")
|
||||
printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles")
|
||||
printTitle(3, "Typically these roles should not have admin or iam permissions.")
|
||||
outTable = []
|
||||
@@ -321,6 +322,20 @@ for page in paginator.paginate():
|
||||
for role in instance_roles:
|
||||
roles.add(role['RoleName'])
|
||||
|
||||
# Need to remove non-existent roles
|
||||
iam_client = boto3.client('iam')
|
||||
confirmed_roles = set()
|
||||
for role in roles:
|
||||
try:
|
||||
iam_client.get_role(RoleName=role)
|
||||
confirmed_roles.add(role)
|
||||
except ClientError as e:
|
||||
outTable.append([aid, role, "na", "Role does not exist anymore"])
|
||||
pass
|
||||
|
||||
roles = confirmed_roles
|
||||
printTitle(3, f"Roles to be examined: {len(confirmed_roles)}")
|
||||
|
||||
# Check inline policies for each role
|
||||
client = boto3.client('iam', region_name="us-east-1")
|
||||
for role in roles:
|
||||
@@ -328,9 +343,14 @@ for role in roles:
|
||||
for policy_name in inline_policy_names:
|
||||
response = client.get_role_policy(RoleName=role, PolicyName=policy_name)
|
||||
policy = response['PolicyDocument']
|
||||
|
||||
flat_actions = jmespath.search('Statement[].Action[]', policy)
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"])
|
||||
if flat_actions is None:
|
||||
print(json.dumps(policy))
|
||||
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
|
||||
else:
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"])
|
||||
|
||||
# Check managed policies for each role
|
||||
for role in roles:
|
||||
@@ -348,12 +368,17 @@ for role in roles:
|
||||
policy_document = version['PolicyVersion']['Document']
|
||||
|
||||
flat_actions = jmespath.search('Statement[].Action[]', policy_document)
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"])
|
||||
if flat_actions is None:
|
||||
print(json.dumps(policy_document))
|
||||
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
|
||||
else:
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"])
|
||||
|
||||
printResult(outTable, "AccountID, RoleName, PolicyName, Issue")
|
||||
|
||||
|
||||
|
||||
"""Check cloudwatch log group retention"""
|
||||
printTitle(1, "Cloudwatch service review")
|
||||
printTitle(2, "[Cost Optimization] Cloudwatch LogGroups without retention period")
|
||||
|
||||
Reference in New Issue
Block a user