xpk/code-dumps
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: Examination of Lambda and EC2 roles now work

Browse Source
This commit is contained in:
xpk
2025-09-17 21:42:24 +08:00
parent 2942483744
commit 5572f61ab9
1 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
aws/AwsEnvReview.py
+25
View File
@@ -298,6 +298,7 @@ printResult(outTable, "AccountID, Type, Name")
"""Check Lambda role and IAM instance profile permissions""" """Check Lambda role and IAM instance profile permissions"""
printTitle(1, "Iam service review")
printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles") printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles")
printTitle(3, "Typically these roles should not have admin or iam permissions.") printTitle(3, "Typically these roles should not have admin or iam permissions.")
outTable = [] outTable = []
@@ -321,6 +322,20 @@ for page in paginator.paginate():
for role in instance_roles: for role in instance_roles:
roles.add(role['RoleName']) roles.add(role['RoleName'])
# Need to remove non-existent roles
iam_client = boto3.client('iam')
confirmed_roles = set()
for role in roles:
try:
iam_client.get_role(RoleName=role)
confirmed_roles.add(role)
except ClientError as e:
outTable.append([aid, role, "na", "Role does not exist anymore"])
pass
roles = confirmed_roles
printTitle(3, f"Roles to be examined: {len(confirmed_roles)}")
# Check inline policies for each role # Check inline policies for each role
client = boto3.client('iam', region_name="us-east-1") client = boto3.client('iam', region_name="us-east-1")
for role in roles: for role in roles:
@@ -328,7 +343,12 @@ for role in roles:
for policy_name in inline_policy_names: for policy_name in inline_policy_names:
response = client.get_role_policy(RoleName=role, PolicyName=policy_name) response = client.get_role_policy(RoleName=role, PolicyName=policy_name)
policy = response['PolicyDocument'] policy = response['PolicyDocument']
flat_actions = jmespath.search('Statement[].Action[]', policy) flat_actions = jmespath.search('Statement[].Action[]', policy)
if flat_actions is None:
print(json.dumps(policy))
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
else:
if "*" in flat_actions or "iam:*" in flat_actions: if "*" in flat_actions or "iam:*" in flat_actions:
outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"]) outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"])
@@ -348,12 +368,17 @@ for role in roles:
policy_document = version['PolicyVersion']['Document'] policy_document = version['PolicyVersion']['Document']
flat_actions = jmespath.search('Statement[].Action[]', policy_document) flat_actions = jmespath.search('Statement[].Action[]', policy_document)
if flat_actions is None:
print(json.dumps(policy_document))
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
else:
if "*" in flat_actions or "iam:*" in flat_actions: if "*" in flat_actions or "iam:*" in flat_actions:
outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"]) outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"])
printResult(outTable, "AccountID, RoleName, PolicyName, Issue") printResult(outTable, "AccountID, RoleName, PolicyName, Issue")
"""Check cloudwatch log group retention""" """Check cloudwatch log group retention"""
printTitle(1, "Cloudwatch service review") printTitle(1, "Cloudwatch service review")
printTitle(2, "[Cost Optimization] Cloudwatch LogGroups without retention period") printTitle(2, "[Cost Optimization] Cloudwatch LogGroups without retention period")