IAM policy tools
Project description
policy-tools
Summary
This is a utility of helper tools for working with AWS IAM Policies.
Currently it programmatically determine the effect of an AWS Organizations Service Control Policy on a given user policy.
result = scp.effect_on(user_policy)
print result.denied_actions
Usage
Create your "All IAM actions" set
# policies-gen.json.js is the content of https://awspolicygen.s3.amazonaws.com/js/policies.js
with open('policies-gen.json.js') as file_stream:
all_actions_source_data = file_stream.read()
Create your ActionExpander utility. It simply expands glob statements (e.g. s3:*) into the full matched set of IAM actions.
policy_actions_expander = ActionExpander(PolicyGenActionsMasterList(all_actions_source_data))
Create the user policy and the service control policy
user_policy = Policy("""{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSts",
"Effect": "Allow",
"Resource": "*",
"Action": [
"sqs:*"
]
},
{
"Sid": "AllowEfs",
"Effect": "Allow",
"Resource": "*",
"Action": [
"elastictranscoder:*"
]
}
]
}""", action_expander)
scp = ServiceControlPolicy("""{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Read",
"Effect": "Allow",
"Resource": "*",
"Action": [
"sqs:Get*",
"sqs:List*"
]
},
{
"Sid": "AllowElasticTranscoderRead",
"Effect": "Allow",
"Resource": "*",
"Action": [
"elastictranscoder:Read*",
"elastictranscoder:List*"
]
}
]
}""", action_expander)
Determine the effect of the SCP on the user policy
result = scp.effect_on(user_policy)
print result.denied_actions
{ 'sqs:SetQueueAttributes',
'sqs:PurgeQueue',
'sqs:DeleteMessageBatch',
'sqs:ReceiveMessage',
'sqs:RemovePermission',
'sqs:ChangeMessageVisibilityBatch',
'sqs:SendMessageBatch',
'sqs:CreateQueue',
'sqs:TagQueue',
'sqs:AddPermission',
'sqs:UntagQueue',
'sqs:SendMessage',
'sqs:DeleteMessage',
'sqs:ChangeMessageVisibility',
'sqs:DeleteQueue',
'elastictranscoder:TestRole',
'elastictranscoder:CreatePipeline',
'elastictranscoder:DeletePipeline',
'elastictranscoder:UpdatePipelineNotifications',
'elastictranscoder:DeletePreset',
'elastictranscoder:CancelJob',
'elastictranscoder:CreateJob',
'elastictranscoder:UpdatePipelineStatus',
'elastictranscoder:CreatePreset',
'elastictranscoder:UpdatePipeline'
}
Developing
create file ~/.pypirc (if you do not already have)
[distutils]
index-servers =
pypi
pypitest
[pypi]
repository: https://upload.pypi.org/legacy/
username:
password:
[pypitest]
repository: https://test.pypi.org/legacy/
username:
password:
build
Update the version in policytools/version.txt
rm -rf dist
python setup.py bdist_wheel --universal
pypitest
twine upload --repository pypitest dist/*
pip install policytools --index-url https://test.pypi.org/simple/ --upgrade
pypi
twine upload --repository pypi dist/*
pip install policytools --upgrade
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distribution
File details
Details for the file policytools-0.2.5-py2.py3-none-any.whl.
File metadata
- Download URL: policytools-0.2.5-py2.py3-none-any.whl
- Upload date:
- Size: 79.4 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d5ca556c212a0cb5908bfec38e8745cb3fb194023b6796b606797a57cf395c07 |
|
| MD5 | 19cb96454df4ead83ad00c275163dcea |
|
| BLAKE2b-256 | 12fb98afb4c352f598af76a4a33fb3c56177d4046dee1e6868b8177efc05c0ca |
