-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(iam): add new check iam_policy_cloudshell_admin_not_attached
#5437
base: master
Are you sure you want to change the base?
feat(iam): add new check iam_policy_cloudshell_admin_not_attached
#5437
Conversation
…ith a method to describe every user,group and role that use cloudshell policy and test for the method
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5437 +/- ##
==========================================
+ Coverage 89.21% 89.34% +0.12%
==========================================
Files 1044 1054 +10
Lines 32225 32686 +461
==========================================
+ Hits 28750 29203 +453
- Misses 3475 3483 +8 ☔ View full report in Codecov by Sentry. |
iam_cloudshell_admin_policy_not_attached
iam_policy_cloudshell_admin_not_attached
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:iam::{account-id}:{resource-type}/{resource-id}", | ||
"Severity": "medium", | ||
"ResourceType": "AwsIamRole, AwsIamUser, AwsIamGroup", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ResourceType": "AwsIamRole, AwsIamUser, AwsIamGroup", | |
"ResourceType": "AwsIamPolicy", |
def _list_entities_for_policy(self, policy_arn): | ||
logger.info("IAM - List Entities Role For Policy...") | ||
try: | ||
entities = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, make entities
a dictionary with keys as User, Group, Role with a list for each entity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we can show in the status extended the type of entities too.
Context
Add a new check to ensure IAM identities (users, roles, or groups) don't have the AWS managed policy
AWSCloudShellFullAccess
attached. The control fails if this policy is present.AWSCloudShellFullAccess
provides full access to AWS CloudShell, including file upload/download capabilities and sudo permissions, which can pose security risks. Adhere to the principle of least privilege and avoid attaching this broad policy.Description
Added new check
iam_cloudshell_admin_policy_not_attached
with respective unit tests. Added new attributeentities_attached_to_cloudshell_policy
with method_list_entities_for_policy
and a test for the method.Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.