Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Querying Global Condition Context Keys #243

Open
jsmartin opened this issue Oct 2, 2020 · 2 comments
Open

Querying Global Condition Context Keys #243

jsmartin opened this issue Oct 2, 2020 · 2 comments

Comments

@jsmartin
Copy link

jsmartin commented Oct 2, 2020

Based on Amazon docs there are 30 Global Condition Context Keys. It would be great if we had a direct way to query those.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

aws:CalledVia
aws:CalledViaFirst
aws:CalledViaLast
aws:CurrentTime
aws:EpochTime
aws:MultiFactorAuthAge
aws:MultiFactorAuthPresent
aws:PrincipalAccount
aws:PrincipalArn
aws:PrincipalOrgID
aws:PrincipalOrgPaths
aws:PrincipalTag
aws:PrincipalType
aws:referer
aws:RequestedRegion
aws:RequestTag/tag-key
aws:ResourceTag/tag-key
aws:SecureTransport
aws:SourceAccount
aws:SourceArn
aws:SourceIp
aws:SourceVpc
aws:SourceVpce
aws:TagKeys
aws:TokenIssueTime
aws:UserAgent
aws:userid
aws:username
aws:ViaAWSService
aws:VpcSourceIp

I attempted to generate that list by going through all the services and grepping context keys that started with "aws" but come up short by about 15 of them.

#! /usr/bin/env python
  
from policy_sentry.querying.all import get_all_service_prefixes
from policy_sentry.querying.arns import get_raw_arns_for_service
from policy_sentry.querying.all import get_all_actions
from policy_sentry.querying.arns import get_arn_types_for_service
from policy_sentry.querying.arns import get_arn_type_details
from policy_sentry.querying.conditions import  get_condition_keys_for_service
services = get_all_service_prefixes()

condition_keys = []
services_with_specific_keys = []

for s in services:

    arn_types = get_arn_types_for_service(s)
    keys = get_condition_keys_for_service(s)
    condition_keys += keys

condition_keys = (set(condition_keys))

for key in condition_keys:
  if key.startswith('aws:'):
    print(key)
@kmcquade
Copy link
Collaborator

kmcquade commented Oct 2, 2020

@jsmartin - Policy Sentry only scrapes the Actions, Resources and Condition Keys pages right now. The scraping does not pull that Global condition keys page.

Given that the write-policy function doesn't rely on Condition Keys, we actually don't use the Condition table outside of the query function. So I can't personally dedicate any time to this.

But if you did want to take this on so that global keys can be queried, feel free to do so - happy to answer any questions in the process and review a PR.

@jsmartin
Copy link
Author

jsmartin commented Oct 3, 2020

Awesome, any tips you can provide before I get started would be great (methods to re-use, where to put the files, etc). Probably something I can work on in the next couple of weeks.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsmartin @kmcquade