PolicyTools


Licenses
Apache-2.0/libpng-2.0
Install
pip install PolicyTools==0.1.0

Documentation

policy-tools

CircleCI

codecov

Requirements Status

Summary

This is a utility of helper tools for working with AWS IAM Policies.

Currently it programmatically determine the effect of an AWS Organizations Service Control Policy on a given user policy.

result = scp.effect_on(user_policy)
print result.denied_actions

Usage

Create your "All IAM actions" set

# policies-gen.json.js is the content of https://awspolicygen.s3.amazonaws.com/js/policies.js
with open('policies-gen.json.js') as file_stream:
    all_actions_source_data = file_stream.read()

Create your ActionExpander utility. It simply expands glob statements (e.g. s3:*) into the full matched set of IAM actions.

policy_actions_expander = ActionExpander(PolicyGenActionsMasterList(all_actions_source_data))

Create the user policy and the service control policy

user_policy = Policy("""{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSts",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "sqs:*"
                ]
            },
            {
                "Sid": "AllowEfs",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                    "elastictranscoder:*"
                ]
            }
        ]
    }""", action_expander)
    
 scp = ServiceControlPolicy("""{
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AllowS3Read",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Action": [
                        "sqs:Get*",
                        "sqs:List*"
                    ]
                },
                {
                    "Sid": "AllowElasticTranscoderRead",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Action": [
                        "elastictranscoder:Read*",
                        "elastictranscoder:List*"
                    ]
                }
            ]
        }""", action_expander) 

Determine the effect of the SCP on the user policy

result = scp.effect_on(user_policy)
print result.denied_actions

{  'sqs:SetQueueAttributes',
     'sqs:PurgeQueue',
     'sqs:DeleteMessageBatch',
     'sqs:ReceiveMessage',
     'sqs:RemovePermission',
     'sqs:ChangeMessageVisibilityBatch',
     'sqs:SendMessageBatch',
     'sqs:CreateQueue',
     'sqs:TagQueue',
     'sqs:AddPermission',
     'sqs:UntagQueue',
     'sqs:SendMessage',
     'sqs:DeleteMessage',
     'sqs:ChangeMessageVisibility',
     'sqs:DeleteQueue',
     'elastictranscoder:TestRole',
     'elastictranscoder:CreatePipeline',
     'elastictranscoder:DeletePipeline',
     'elastictranscoder:UpdatePipelineNotifications',
     'elastictranscoder:DeletePreset',
     'elastictranscoder:CancelJob',
     'elastictranscoder:CreateJob',
     'elastictranscoder:UpdatePipelineStatus',
     'elastictranscoder:CreatePreset',
     'elastictranscoder:UpdatePipeline'
  }
 

Developing

create file ~/.pypirc (if you do not already have)

[distutils]
index-servers =
  pypi
  pypitest

[pypi]
repository: https://upload.pypi.org/legacy/
username:
password:

[pypitest]
repository: https://test.pypi.org/legacy/
username:
password:

build

# tick to semver `version` in setup.py
rm -rf dist
python setup.py bdist_wheel --universal

pypitest

twine upload --repository pypitest dist/*
pip install policytools --index-url https://test.pypi.org/simple/ --upgrade

pypi

twine upload --repository pypi dist/*
pip install policytools --upgrade