Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/plugin/iam/less restrictive iam role policies #293

Closed
wants to merge 12 commits into from
Closed

Feature/plugin/iam/less restrictive iam role policies #293

wants to merge 12 commits into from

Conversation

jchrisfarris
Copy link
Contributor

Adds options to ignore roles for SAML/IDP assumption. Adds option to ignore service:* permissions

These plugins were developed by Trek10 under contract to WarnerMedia for release back into the main CloudSploit Scanning Engine. WarnerMedia expressly authorizes their contribution.

Ryan Farina and others added 10 commits April 6, 2020 15:10
resync with forked master
c155a29
resyncing once again
f7598de
@hauboldj
Merge remote-tracking branch 'aqua/master'
7068847
@hauboldj
Merge remote-tracking branch 'aqua/master'
8940466
@mtskillman
wip; working on unit tests and need to confirm intended changes to ia…
e6fa89a 
…mRolePolicies behavior
@mtskillman
addition of config parameter to optionally change behavior of this pl…
0ef75e9 
…ugin. additionally test cases added for both existing and added functionality.
@mtskillman
revision to logic of handling the ignore service specific wildcards s…
f85d6b9 
…etting; revision of test cases associated with this setting and associated plugin
@mtskillman
correction to regex
0b5197e
@mtskillman
addition of flag to exclude those roles which involve something to do…
b8f2c36 
… with federated users
@mtskillman
correction of logic and associated test cases
9029971
@CLAassistant
Copy link

CLAassistant commented Sep 1, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

giorod3
giorod3 requested changes Sep 3, 2020
View reviewed changes
plugins/aws/iam/iamRolePolicies.js
Comment on lines +6 to +16
function hasFederatedUserRole(policyDocument) {
// true iff every statement refers to federated user access
let statement;
for (statement of policyDocument.Statement) {
if (statement.Action !== 'sts:AssumeRoleWithSAML' && statement.Action !== 'sts:AssumeRoleWithWebIdentity'){
return false;
}
}
return true;
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move this function to our helpers file: https://github.com/cloudsploit/scans/blob/master/helpers/aws/functions.js
and just import the file like this: var helpers = require('../../../helpers/aws');

@AkhtarAmir
Copy link
Contributor

Added separate PR for this, can be closed

@giorod3 giorod3 closed this Mar 29, 2021
@snyk-bot snyk-bot mentioned this pull request Jun 4, 2023
Open
@ekmixon ekmixon mentioned this pull request Jun 11, 2023
Open
@ekmixon ekmixon mentioned this pull request Jul 8, 2023
Open
@ekmixon ekmixon mentioned this pull request Aug 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giorod3 giorod3 giorod3 requested changes

Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jchrisfarris @CLAassistant @AkhtarAmir @giorod3 @hauboldj @mtskillman