search

salesforce / cloudsplaining

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
https://cloudsplaining.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
2k stars 186 forks source link

Add policy minification? #209

Open TryTryAgain opened 3 years ago

TryTryAgain commented 3 years ago

As brought up https://github.com/Netflix-Skunkworks/policyuniverse/issues/38#issuecomment-868751613 ... it would be pretty handy if cloudsplaining could help with that by considering adding a minimize-policy to accompany the existing expand-policy (which I am happy to learn exists).

A few thoughts:

1) Like policyuniverse, I'd expect it to take the input policy into account in as much that it would determine the given actions/permissions and read/list/write/tag scope and stick with that? Meaning it wouldn't purely be doing pattern recognition wildcard replacement based on the given strings but take the related permissions potentially not included in the input policy into account; so there wouldn't be unintended permissions granted by mistake. That may be a given but I thought it should be said anyways.

2) Maybe kind of a feature request/enhancement to the existing expand-policy functionality as well... it would be cool if the resulting policies could be auto split to work within the constraints of AWS's various policy character limits.

What originally sparked my curiosity in this area was to build a "Safer" ReadOnlyAccess policy. I believe @kmcquade you've thought about similar things at length. I'm curious about the best approaches. I understand this is off-topic to the OP/issue.

# Get the list of actions we want to remove into an array
ActionsToRemove=($(cloudsplaining scan-policy-file --input-file $Policy_Filename | grep Actions | sed 's/.*Actions.*: //Ig' | tr ' ' '\n' | tr -d ',' | sort | uniq))

# Remove each action determined to be a risk
for Action in "${ActionsToRemove[@]}"; do
    sed -i "/\"$Action\".*/Id" $Policy_Filename
done

And some ugly attempts at minizing that using policyuniverse:

# Concatenate Service/Actions
tee "$PolicyUniverseMinification" > /dev/null <<EOF
from policyuniverse.expander_minimizer import minimize_policy
policy = $(cat $Policy_Filename)
minimized_policy = minimize_policy(policy=policy, minchars=None)
print(minimized_policy)
EOF

# Remove missing actions; Blackhole actions: meaning Policy Universe does not have information on them...
until python $PolicyUniverseMinification 2> stderr.txt; do
    MissingAction=$(cat stderr.txt | grep "Exception: Desired action not found in master permission list." | cut -d. -f2 | sed 's/^[[:space:]]*//g')
    echo "Removing Blackhole action: '$MissingAction'..."
    sed -i "/\"$MissingAction\".*/Id" $PolicyUniverseMinification
done

vs. simply getting the output of cloudsplaining and adding it to a Deny statement I started questioning my approach.

jtyers commented 2 years ago

Shameless plug, but if you're trying to create safe read-only policies you may want to look at my library aws-iam-utils which uses policyuniverse under the hood. It builds policies from the ground up based on access level (read, list etc) and where specified tries to use wildcards in the result to keep policies short.

It doesn't do removal of specific actions, to cater to your requirement around risky ones, but if needed I can see how that could be implemented with not much code. I suggest you raise an issue in that repo if that's something you need to do.

There's a CLI and YAML-driven counterpart, aws-policy-generator.