policy_sentry icon indicating copy to clipboard operation
policy_sentry copied to clipboard

Published 20 hours ago verified publisher icon salesforce

Querying Global Condition Context Keys

Open jsmartin opened this issue 4 years ago • 2 comments

Based on Amazon docs there are 30 Global Condition Context Keys. It would be great if we had a direct way to query those.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

aws:CalledVia aws:CalledViaFirst aws:CalledViaLast aws:CurrentTime aws:EpochTime aws:MultiFactorAuthAge aws:MultiFactorAuthPresent aws:PrincipalAccount aws:PrincipalArn aws:PrincipalOrgID aws:PrincipalOrgPaths aws:PrincipalTag aws:PrincipalType aws:referer aws:RequestedRegion aws:RequestTag/tag-key aws:ResourceTag/tag-key aws:SecureTransport aws:SourceAccount aws:SourceArn aws:SourceIp aws:SourceVpc aws:SourceVpce aws:TagKeys aws:TokenIssueTime aws:UserAgent aws:userid aws:username aws:ViaAWSService aws:VpcSourceIp

I attempted to generate that list by going through all the services and grepping context keys that started with "aws" but come up short by about 15 of them.

#! /usr/bin/env python
  
from policy_sentry.querying.all import get_all_service_prefixes
from policy_sentry.querying.arns import get_raw_arns_for_service
from policy_sentry.querying.all import get_all_actions
from policy_sentry.querying.arns import get_arn_types_for_service
from policy_sentry.querying.arns import get_arn_type_details
from policy_sentry.querying.conditions import  get_condition_keys_for_service
services = get_all_service_prefixes()

condition_keys = []
services_with_specific_keys = []

for s in services:

    arn_types = get_arn_types_for_service(s)
    keys = get_condition_keys_for_service(s)
    condition_keys += keys

condition_keys = (set(condition_keys))

for key in condition_keys:
  if key.startswith('aws:'):
    print(key)

jsmartin avatar Oct 02 '20 14:10 jsmartin

@jsmartin - Policy Sentry only scrapes the Actions, Resources and Condition Keys pages right now. The scraping does not pull that Global condition keys page.

Given that the write-policy function doesn't rely on Condition Keys, we actually don't use the Condition table outside of the query function. So I can't personally dedicate any time to this.

But if you did want to take this on so that global keys can be queried, feel free to do so - happy to answer any questions in the process and review a PR.

kmcquade avatar Oct 02 '20 17:10 kmcquade

Awesome, any tips you can provide before I get started would be great (methods to re-use, where to put the files, etc). Probably something I can work on in the next couple of weeks.

jsmartin avatar Oct 03 '20 19:10 jsmartin