in Policy, salesforce

salesforce / policy_sentry, Hacker News

1.8k Views

salesforce / policy_sentry, Hacker News


                    

        

IAM Least Privilege Policy Generator, auditor, and analysis database.

Wiki

For walkthroughs and full documentation, please visit thewiki.

Overview

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Many Infrastructure as Code developers have experienced something like this:

  • Determined to make your best effort to give users and roles the least amount of privilege you need to perform your duties, you spend way too much time combing through the AWS IAM Documentation onActions, Resources, and Condition Keys for AWS Services.
  • Your team lead encourages you to build security into your IAM Policies for product quality, but eventually you get frustrated due to project deadlines.
  • You don’t have an embedded security person on your team who can write those IAM policies for you, and there’s no automated tool that will automagically sense the AWS API calls that you perform and then write them for you in a least-privilege manner.
  • After fantasizing about that level of automation, you realize that writing least privilege IAM Policies, seemingly out of charity, will jeopardize your ability to finish your code in time to meet project deadlines.
  • You use Managed Policies (because hey, why not) or you eyeball the names of the API calls and use wildcards instead so you can move on with your life.

Such a process is not ideal for security or for Infrastructure as Code developers. We need to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies. That’s why I made this tool.

Quickstart

  • policy_sentryis available via pip. To install, run:
pip install --user policy_sentry
  • Policy Writing cheat sheet
#Initialize the policy_sentry config folder and create the IAM database tables.policy_sentry initialize#Create a template file for use in the write-policy command (crud mode)policy_sentry create-template --name myRole --output-file tmp.yml --template-type crud#Write policy based on resource-specific access levelspolicy_sentry write-policy --crud --file examples / crud.yml#Write policy_sentry YML files based on resource-specific access levels on a directory basispolicy_sentry write-policy-dir --crud --input-dir examples / input-dir --output-dir examples / output-dir#Create a template file for use in the write-policy command (actions mode)policy_sentry create-template --name myRole --output-file tmp.yml --template-type actions#Write policy based on a list of actionspolicy_sentry write-policy --file examples / actions.yml
  • Policy Analysis Cheat Sheet
#Initialize the policy_sentry config folder and create the IAM database tables.policy_sentry initialize#Analyze a policy FILE to determine actions with "Permissions Management "access levelspolicy_sentry analyze-iam-policy --from-access-level permissions-management --file examples / analyze / wildcards.json#Download customer managed IAM policies from a live account under ' default 'profile. By default, it looks for policies that are 1. in use and 2. customer managedpolicy_sentry download-policies#this will download to ~ /. policy_sentry / accountid / customer-managed / .json#Download customer-managed IAM policies, including those that are not attachedpolicy_sentry download-policies --include-unattached#this will download to ~ / .policy_sentry / accountid / customer-managed / .json#Analyze a DIRECTORY of policy filespolicy_sentry analyze-iam-policy --show~/ .policy_sentry / 123456789012 / customer-managed#Analyze a policy FILE to identify higher-risk IAM callspolicy_sentry analyze-iam-policy --file examples / analyze / wildcards.json#Analyze a policy against a custom file containing a list of IAM actionspolicy_sentry analyze-iam-policy --file examples / analyze / wildcards.json --from-audit-file~/. policy_sentry / audit / privilege-escalation.txt

Commands

Usage

  • initialize: Create a SQLite database that contains all of the services available through theActions, Resources, and Condition Keys documentation. See thedocumentation.

  • create-template: Creates the YML file templates for use in thewrite-policycommand types.

  • write-policy: Leverage a YAML file to write policies for you

    • Option 1: Specify CRUD levels (Read, Write, List, Tagging, or Permissions management) and the ARN of the resource. It will write this for you. See thedocumentation
    • Option 2: Specify a list of actions. It will write the IAM Policy for you, but you will have to fill in the ARNs. See thedocumentation.

  • write-policy-dir: This can be helpful in the Terraform use case. For more information, see the wiki.

  • download-policies: Download IAM policies from your AWS account for analysis.

  • analyze-iam-policy: Analyze an IAM policy read from a JSON file, expands the wildcards (likeS3: List *if necessary.

    • Option 1: Audits them to see if certain IAM actions are permitted , based on actions in a separate text file. See thedocumentation.
    • Option 2: Audits them to see if any of the actions in the policy meet a certain access level, such as “Permissions management.”

Updating the AWS HTML files

Run the following:

./utils / grab-docs.sh#Or:./utils/download-docs.sh

References

  

Brave Browser
Read More
Payeer

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Twitter says it will restrict users from retweeting world leaders who break its rules, Hacker News

Twitter says it will restrict users from retweeting world leaders who break its rules, Hacker News
On the road with Audi’s new Q5 and A8 TFSI e plug-in hybrids, Ars Technica

On the road with Audi’s new Q5 and A8 TFSI e plug-in hybrids, Ars Technica