Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Querying Global Condition Context Keys #243

Open
jsmartin opened this issue Oct 2, 2020 · 2 comments
Open

Querying Global Condition Context Keys #243

jsmartin opened this issue Oct 2, 2020 · 2 comments

Comments

@jsmartin
Copy link

jsmartin commented Oct 2, 2020

Based on Amazon docs there are 30 Global Condition Context Keys. It would be great if we had a direct way to query those.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

aws:CalledVia
aws:CalledViaFirst
aws:CalledViaLast
aws:CurrentTime
aws:EpochTime
aws:MultiFactorAuthAge
aws:MultiFactorAuthPresent
aws:PrincipalAccount
aws:PrincipalArn
aws:PrincipalOrgID
aws:PrincipalOrgPaths
aws:PrincipalTag
aws:PrincipalType
aws:referer
aws:RequestedRegion
aws:RequestTag/tag-key
aws:ResourceTag/tag-key
aws:SecureTransport
aws:SourceAccount
aws:SourceArn
aws:SourceIp
aws:SourceVpc
aws:SourceVpce
aws:TagKeys
aws:TokenIssueTime
aws:UserAgent
aws:userid
aws:username
aws:ViaAWSService
aws:VpcSourceIp

I attempted to generate that list by going through all the services and grepping context keys that started with "aws" but come up short by about 15 of them.

#! /usr/bin/env python
  
from policy_sentry.querying.all import get_all_service_prefixes
from policy_sentry.querying.arns import get_raw_arns_for_service
from policy_sentry.querying.all import get_all_actions
from policy_sentry.querying.arns import get_arn_types_for_service
from policy_sentry.querying.arns import get_arn_type_details
from policy_sentry.querying.conditions import  get_condition_keys_for_service
services = get_all_service_prefixes()

condition_keys = []
services_with_specific_keys = []

for s in services:

    arn_types = get_arn_types_for_service(s)
    keys = get_condition_keys_for_service(s)
    condition_keys += keys

condition_keys = (set(condition_keys))

for key in condition_keys:
  if key.startswith('aws:'):
    print(key)
@kmcquade
Copy link
Collaborator

kmcquade commented Oct 2, 2020

@jsmartin - Policy Sentry only scrapes the Actions, Resources and Condition Keys pages right now. The scraping does not pull that Global condition keys page.

Given that the write-policy function doesn't rely on Condition Keys, we actually don't use the Condition table outside of the query function. So I can't personally dedicate any time to this.

But if you did want to take this on so that global keys can be queried, feel free to do so - happy to answer any questions in the process and review a PR.

@jsmartin
Copy link
Author

jsmartin commented Oct 3, 2020

Awesome, any tips you can provide before I get started would be great (methods to re-use, where to put the files, etc). Probably something I can work on in the next couple of weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsmartin @kmcquade