Documentation ¶
Index ¶
- func MatchesAfterExpansion(stringFromPolicyToCheck, stringToCheckAgainst string) bool
- type ListOfPrincipals
- type ListOrString
- type Policy
- type PolicyStatement
- func (ps *PolicyStatement) GetAllActionsAsString() string
- func (ps *PolicyStatement) GetAllPrincipalsAsString() string
- func (ps *PolicyStatement) GetConditionsInEnglish(caller string) string
- func (ps *PolicyStatement) GetResources() []string
- func (ps *PolicyStatement) GetStatementSummaryInEnglish(caller string) string
- func (ps *PolicyStatement) IsAllow() bool
- func (ps *PolicyStatement) IsEmpty() bool
- type PolicyStatementCondition
- type PolicyStatementPrincipal
- type PolicyStatementPrincipalObject
- type RoleTrustStatementEntry
- type TrustPolicyDocument
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MatchesAfterExpansion ¶ added in v1.14.0
source: https://github.com/nccgroup/PMapper/blob/master/principalmapper/querying/local_policy_simulation.py MatchesAfterExpansion checks the stringToCheck against stringToCheckAgainst.
Types ¶
type ListOfPrincipals ¶ added in v1.13.4
type ListOfPrincipals []string
A custom unmarshaller is necessary because the list of principals can be an array of strings or a string. https://stackoverflow.com/questions/65854778/parsing-arn-from-iam-policy-using-regex
func (*ListOfPrincipals) UnmarshalJSON ¶ added in v1.13.4
func (r *ListOfPrincipals) UnmarshalJSON(b []byte) error
type ListOrString ¶
type ListOrString []string
func (*ListOrString) UnmarshalJSON ¶
func (ls *ListOrString) UnmarshalJSON(b []byte) error
type Policy ¶
type Policy struct { Version string `json:"Version"` Id string `json:"Id"` Statement []PolicyStatement `json:"Statement"` }
func ParseJSONPolicy ¶
func (*Policy) DoesPolicyHaveMatchingStatement ¶ added in v1.14.0
func (*Policy) IsConditionallyPublic ¶
true iff there is at least one statement with principal * with conditions that do not scope access down to AWS accounts or organizations
type PolicyStatement ¶
type PolicyStatement struct { Sid string `json:"Sid,omitempty"` Effect string `json:"Effect"` Principal PolicyStatementPrincipal `json:"Principal,omitempty"` Action ListOrString `json:"Action"` NotAction ListOrString `json:"NotAction,omitempty"` Resource ListOrString `json:"Resource,omitempty"` NotResource ListOrString `json:"NotResource,omitempty"` Condition PolicyStatementCondition `json:"Condition,omitempty"` }
func (*PolicyStatement) GetAllActionsAsString ¶
func (ps *PolicyStatement) GetAllActionsAsString() string
func (*PolicyStatement) GetAllPrincipalsAsString ¶
func (ps *PolicyStatement) GetAllPrincipalsAsString() string
func (*PolicyStatement) GetConditionsInEnglish ¶
func (ps *PolicyStatement) GetConditionsInEnglish(caller string) string
func (*PolicyStatement) GetResources ¶ added in v1.12.3
func (ps *PolicyStatement) GetResources() []string
GetResources as list of strings
func (*PolicyStatement) GetStatementSummaryInEnglish ¶
func (ps *PolicyStatement) GetStatementSummaryInEnglish(caller string) string
func (*PolicyStatement) IsAllow ¶
func (ps *PolicyStatement) IsAllow() bool
func (*PolicyStatement) IsEmpty ¶
func (ps *PolicyStatement) IsEmpty() bool
type PolicyStatementCondition ¶
type PolicyStatementCondition map[string]map[string]ListOrString
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html Conditions have the following general structure:
"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
func (*PolicyStatementCondition) IsEmpty ¶
func (psc *PolicyStatementCondition) IsEmpty() bool
func (*PolicyStatementCondition) IsScopedOnAccountOrOrganization ¶
func (psc *PolicyStatementCondition) IsScopedOnAccountOrOrganization() bool
IsScopedOnAccountOrOrganization returns true if the policy condition ensures access only for specific AWS accounts or organizations. If may return false even if access is restricted in such a way. Such policies should be reported to the user and analyzed case by case to judge if conditions are sufficiently restrictive.
type PolicyStatementPrincipal ¶
type PolicyStatementPrincipal struct { S string O PolicyStatementPrincipalObject }
func (*PolicyStatementPrincipal) IsEmpty ¶
func (psp *PolicyStatementPrincipal) IsEmpty() bool
func (*PolicyStatementPrincipal) IsPublic ¶
func (psp *PolicyStatementPrincipal) IsPublic() bool
func (*PolicyStatementPrincipal) MarshalJSON ¶
func (psp *PolicyStatementPrincipal) MarshalJSON() ([]byte, error)
func (*PolicyStatementPrincipal) UnmarshalJSON ¶
func (psp *PolicyStatementPrincipal) UnmarshalJSON(b []byte) error
type PolicyStatementPrincipalObject ¶
type PolicyStatementPrincipalObject struct { AWS ListOrString `json:"AWS,omitempty"` CanonicalUser ListOrString `json:"CanonicalUser,omitempty"` Federated ListOrString `json:"Federated,omitempty"` Service ListOrString `json:"Service,omitempty"` }
func (*PolicyStatementPrincipalObject) GetListOfPrincipals ¶
func (pspo *PolicyStatementPrincipalObject) GetListOfPrincipals() []string
func (*PolicyStatementPrincipalObject) IsEmpty ¶
func (pspo *PolicyStatementPrincipalObject) IsEmpty() bool
func (*PolicyStatementPrincipalObject) IsPublic ¶
func (pspo *PolicyStatementPrincipalObject) IsPublic() bool
func (*PolicyStatementPrincipalObject) IsTrustedPrincipalSameAccount ¶ added in v1.12.3
func (pspo *PolicyStatementPrincipalObject) IsTrustedPrincipalSameAccount(accountID string) bool
create a method on *PolicyStatementPrincipalObject that will determine if trusted principal is from the same account as the resource or a different account
type RoleTrustStatementEntry ¶ added in v1.13.4
type RoleTrustStatementEntry struct { Sid string `json:"Sid"` Effect string `json:"Effect"` Principal struct { AWS ListOfPrincipals `json:"AWS"` Service ListOfPrincipals `json:"Service"` Federated ListOfPrincipals `json:"Federated"` } `json:"Principal"` Action string `json:"Action"` Condition struct { StringEquals struct { StsExternalID string `json:"sts:ExternalId"` SAMLAud string `json:"SAML:aud"` TokenActionsGithubusercontentComSub ListOfPrincipals `json:"token.actions.githubusercontent.com:sub"` TokenActionsGithubusercontentComAud string `json:"token.actions.githubusercontent.com:aud"` OidcEksSub ListOfPrincipals `json:"OidcEksSub"` OidcEksAud string `json:"OidcEksAud"` CognitoAud string `json:"cognito-identity.amazonaws.com:aud"` TerraformAud string `json:"app.terraform.io:aud"` // Terraform Cloud specific TerraformSub ListOfPrincipals `json:"app.terraform.io:sub"` // Terraform Cloud specific GCPAud string `json:"accounts.google.com:aud"` GCPSub ListOfPrincipals `json:"accounts.google.com:sub"` AzureADIss ListOfPrincipals `json:"http://sts.windows.net/tenant-id/iss"` // Azure AD specific AzureADSub ListOfPrincipals `json:"sub"` // Common among OIDC providers PingClientId string `json:"pingidentity.com:client_id"` GoogleWorkspaceAud string `json:"workspace.google.com:aud"` GoogleWorkspaceSub ListOfPrincipals `json:"workspace.google.com:sub"` CircleCIAud ListOfPrincipals `json:"CircleCIAud"` CircleCISub ListOfPrincipals `json:"CircleCISub"` } `json:"StringEquals"` StringLike struct { TokenActionsGithubusercontentComSub ListOfPrincipals `json:"token.actions.githubusercontent.com:sub"` TokenActionsGithubusercontentComAud string `json:"token.actions.githubusercontent.com:aud"` OidcEksSub ListOfPrincipals `json:"OidcEksSub"` OidcEksAud string `json:"OidcEksAud"` TerraformAud string `json:"app.terraform.io:aud"` // Terraform Cloud specific TerraformSub ListOfPrincipals `json:"app.terraform.io:sub"` // Terraform Cloud specific GCPAud string `json:"accounts.google.com:aud"` GCPSub ListOfPrincipals `json:"accounts.google.com:sub"` AzureADIss ListOfPrincipals `json:"http://sts.windows.net/tenant-id/iss"` // Azure AD specific AzureADSub ListOfPrincipals `json:"sub"` // Common among OIDC providers PingClientId string `json:"pingidentity.com:client_id"` GoogleWorkspaceAud string `json:"workspace.google.com:aud"` GoogleWorkspaceSub ListOfPrincipals `json:"workspace.google.com:sub"` CircleCIAud ListOfPrincipals `json:"CircleCIAud"` CircleCISub ListOfPrincipals `json:"CircleCISub"` } `json:"StringLike"` ForAnyValueStringLike struct { CognitoAMR string `json:"cognito-identity.amazonaws.com:amr"` } `json:"ForAnyValue:StringLike"` } `json:"Condition"` }
type TrustPolicyDocument ¶ added in v1.13.4
type TrustPolicyDocument struct { Version string `json:"Version"` Statement []RoleTrustStatementEntry `json:"Statement"` }
func ParseRoleTrustPolicyDocument ¶ added in v1.13.4
func ParseRoleTrustPolicyDocument(role types.Role) (TrustPolicyDocument, error)