policy-sentry 0.4.3

Generate locked-down AWS IAM Policies

policy_sentry

IAM Least Privilege Policy Generator, auditor, and analysis database.

Wiki

For walkthroughs and full documentation, please visit the wiki.

Overview

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Many Infrastructure as Code developers have experienced something like this:

• Determined to make your best effort to give users and roles the least amount of privilege you need to perform your duties, you spend way too much time combing through the AWS IAM Documentation on Actions, Resources, and Condition Keys for AWS Services.
• Your team lead encourages you to build security into your IAM Policies for product quality, but eventually you get frustrated due to project deadlines.
• You don't have an embedded security person on your team who can write those IAM policies for you, and there's no automated tool that will automagically sense the AWS API calls that you perform and then write them for you in a least-privilege manner.
• After fantasizing about that level of automation, you realize that writing least privilege IAM Policies, seemingly out of charity, will jeopardize your ability to finish your code in time to meet project deadlines.
• You use Managed Policies (because hey, why not) or you eyeball the names of the API calls and use wildcards instead so you can move on with your life.

Such a process is not ideal for security or for Infrastructure as Code developers. We need to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies. That's why I made this tool.

Quickstart

• policy_sentry is available via pip. To install, run:

pip install --user policy_sentry

• Policy Writing cheat sheet

# Initialize the policy_sentry config folder and create the IAM database tables.
policy_sentry initialize

# Create a template file for use in the write-policy command (crud mode)
policy_sentry create-template --name myRole --output-file tmp.yml --template-type crud

# Write policy based on resource-specific access levels
policy_sentry write-policy --crud --file examples/crud.yml

# Write policy_sentry YML files based on resource-specific access levels on a directory basis
policy_sentry write-policy-dir --crud --input-dir examples/input-dir --output-dir examples/output-dir

# Create a template file for use in the write-policy command (actions mode)
policy_sentry create-template --name myRole --output-file tmp.yml --template-type actions

# Write policy based on a list of actions
policy_sentry write-policy --file examples/actions.yml

• Policy Analysis Cheat Sheet

# Initialize the policy_sentry config folder and create the IAM database tables.
policy_sentry initialize

# Analyze a policy FILE to determine actions with "Permissions Management" access levels
policy_sentry analyze-iam-policy --from-access-level permissions-management --file examples/analyze/wildcards.json

# Download customer managed IAM policies from a live account under 'default' profile. By default, it looks for policies that are 1. in use and 2. customer managed
policy_sentry download-policies # this will download to ~/.policy_sentry/accountid/customer-managed/.json

# Download customer-managed IAM policies, including those that are not attached
policy_sentry download-policies --include-unattached # this will download to ~/.policy_sentry/accountid/customer-managed/.json

# Analyze a DIRECTORY of policy files
policy_sentry analyze-iam-policy --show ~/.policy_sentry/123456789012/customer-managed

# Analyze a policy FILE to identify higher-risk IAM calls
policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json

# Analyze a policy against a custom file containing a list of IAM actions
policy_sentry analyze-iam-policy --file examples/analyze/wildcards.json --from-audit-file ~/.policy_sentry/audit/privilege-escalation.txt

Commands

Usage

• initialize: Create a SQLite database that contains all of the services available through the Actions, Resources, and Condition Keys documentation. See the documentation.

• create-template: Creates the YML file templates for use in the write-policy command types.

• write-policy: Leverage a YAML file to write policies for you

  • Option 1: Specify CRUD levels (Read, Write, List, Tagging, or Permissions management) and the ARN of the resource. It will write this for you. See the documentation
  • Option 2: Specify a list of actions. It will write the IAM Policy for you, but you will have to fill in the ARNs. See the documentation.

• write-policy-dir: This can be helpful in the Terraform use case. For more information, see the wiki.

• download-policies: Download IAM policies from your AWS account for analysis.

• analyze-iam-policy: Analyze an IAM policy read from a JSON file, expands the wildcards (like s3:List* if necessary.

  • Option 1: Audits them to see if certain IAM actions are permitted, based on actions in a separate text file. See the documentation.
  • Option 2: Audits them to see if any of the actions in the policy meet a certain access level, such as "Permissions management."

Updating the AWS HTML files

Run the following:

./utils/grab-docs.sh
# Or:
./utils/download-docs.sh

References

• The document scraping process was inspired and borrowed from a similar ansible hacking script.
• Identity-Based vs Resource-based policies
• Actions, Resources, and Condition Keys for AWS Services