Skip to content
This repository has been archived by the owner on Aug 4, 2023. It is now read-only.

ScaleSec/parliament_role_runner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

parliament_role_runner

See the blog post for more info.

By default, Parliament CLI will only analyze a single policy document at a time. This is a wrapper script to run Parliament on an IAM role to lint and analyze all of it's attached policies for misconfigurations.

Usage:

Create your virtual environment and install requirements:

python3 -m venv my_venv
source my_venv/bin/activate
pip3 install -U git+https://github.com/ScaleSec/parliament_role_runner.git

Run with:

analyze_role --rolename <rolename> --profile <profile>

Output Example

Given a policy on the role:

{
    "Statement": [
        {
            "Sid": "ElasticComputeCloudFull",
            "Action": [
                "ec2:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "RDSFull",
            "Action": [
                "rds:ModifyDBInstance"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "S3Full",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::myprivatebucket"
            ]
        }
    ],
    "Version": "2012-10-17"
}

When this script is run against the role, then it will output findings for Action Wildcard, Resource Star, and Resource Mismatch:

[
  {
    "issue": "Action_Wildcard",
    "title": "",
    "severity": "",
    "description": "",
    "detail": "",
    "location": {
      "action": "ec2:*",
      "filepath": null
    },
    "policy_name": "arn:aws:iam::954013203577:policy/test-policy"
  },
  {
    "issue": "RESOURCE_STAR",
    "title": "",
    "severity": "",
    "description": "",
    "detail": null,
    "location": {
      "actions": [
        "ec2:*"
      ],
      "filepath": null
    },
    "policy_name": "arn:aws:iam::123456789012:policy/test-policy"
  },
  {
    "issue": "RESOURCE_STAR",
    "title": "",
    "severity": "",
    "description": "",
    "detail": null,
    "location": {
      "actions": [
        "rds:ModifyDBInstance"
      ],
      "filepath": null
    },
    "policy_name": "arn:aws:iam::123456789012:policy/test-policy"
  },
  {
    "issue": "RESOURCE_MISMATCH",
    "title": "",
    "severity": "",
    "description": "",
    "detail": [
      {
        "action": "s3:GetObject",
        "required_format": "arn:*:s3:::*/*"
      }
    ],
    "location": {
      "actions": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "filepath": null
    },
    "policy_name": "arn:aws:iam::123456789012:policy/test-policy"
  }
]

Custom Checks

Action_Wildcard checks for actions which have wildcards in them.

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

13 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages