search

salesforce / policy_sentry

IAM Least Privilege Policy Generator
https://policy-sentry.readthedocs.io/
MIT License
1.99k stars 141 forks source link

Missing ARN data for 48 services #223

Closed jsmartin closed 4 years ago

jsmartin commented 4 years ago

Using the latest version (0.8.6), have no locally generated IAM database. The following code shows me that there are 42/226 services that are missing arn info.

#! /usr/bin/env python

from policy_sentry.querying.arns import get_raw_arns_for_service
from policy_sentry.querying.all import get_all_service_prefixes

print(f'Total services: {len(get_all_service_prefixes())}')
no_arns = []
for p in get_all_service_prefixes():
    output = get_raw_arns_for_service(p)
    if len(output) == 0:
        no_arns.append(p)
print(f'Services missing arn info: {len(no_arns)}')
for s in no_arns: print(s)

This returns:

Total services: 226
Services missing arn info: 48
account
application-autoscaling
applicationinsights
arsenal
autoscaling-plans
aws-marketplace-management
aws-portal
awsconnector
backup-storage
ce
codeguru
comprehendmedical
compute-optimizer
datapipeline
dbqms
discovery
ec2messages
elasticache
groundtruthlabeling
importexport
inspector
iot-device-tester
iq
iq-permission
lakeformation
launchwizard
macie
mechanicalturk
mobileanalytics
opsworks-cm
pricing
purchase-orders
rds-data
resource-explorer
route53domains
sms
sms-voice
snowball
ssmmessages
sso
sso-directory
support
tag
textract
transcribe
translate
wam
workdocs

Just to do a spot-check I chose one service (elasticache), looked in policy_sentry/shared/data/iam-definition.json and could not find any ARN data for elasticache.

That data is found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html

Probably something changed with the ARN format in the docs?

kmcquade commented 4 years ago

Hey, great question. Thanks for opening.

I'm glad you pointed this out with Elasticache. It's very strange that the resources are not showing up for that service. I'll dig into this.

Regarding the other 47 services - most of these services do not support resource ARN restrictions. For example, AWS IQ's Resource Types section says that 'To allow access to AWS IQ, specify “Resource”: “*” in your policy.'

So, when the output of policy_sentry query arn-table --service iq returns nothing, that is by design - it is not supposed to return any values.

However, this should not be the case for Elasticache. I'll dig into that. In the meantime let me know if you have any other comments or questions - happy to help.

jsmartin commented 4 years ago

Thanks for the quick response. Crazy the only one I looked in detail is the one that actually is a bug. For the other 47, is it possible to know whether it is because the docs parsed the fact that docs say ' specify “Resource”: “*” in your policy.' vs some other reason? Maybe you already cover this in your doc parser (haven't reviewed it).

kmcquade commented 4 years ago

Yeah that is pretty crazy lol. So, just to be sure - I manually went to each of the pages for those other 47 services and confirmed that the data is being collected properly. Those other 47 all require the use of * to access the service so we are good there.

So, I think this happened due to a few factors:

  1. The Amazon docs did not contain ElastiCache ARN information at the time of the last release. See how the updates to the Elasticache resource ARN table was brand new between version 0.8.5 and 0.8.6. https://github.com/salesforce/policy_sentry/blame/master/policy_sentry/shared/data/docs/list_amazonelasticache.html#L2359

  2. We have a monthly GitHub action that updates the IAM Database. For whatever reason, the monthly IAM update script updated that HTML docs but did not update the IAM definition with those resources

  3. It probably did not help that we had some issues that @L-E-iT highlighted about how the IAM database was not pointing to the local database json when it existed on the disk, in #220.

I am taking this action: