-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathiam_policy_analyzer.py
More file actions
40 lines (32 loc) · 1.44 KB
/
iam_policy_analyzer.py
File metadata and controls
40 lines (32 loc) · 1.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
class IAMPolicyAnalyzer:
"""
Analyzes IAM policy JSON documents for risky configurations,
such as wildcard permissions or overly broad resource access.
"""
@staticmethod
def analyze_policy(policy):
"""
Analyze an IAM policy dictionary and return a list of security issues.
Args:
policy (dict): IAM policy JSON object.
Returns:
list[str]: Findings or "Policy is secure!" if none found.
"""
issues = []
for statement in policy.get('Statement', []):
# Normalize 'Action' and 'Resource' to lists for consistent handling
actions = statement.get('Action', [])
resources = statement.get('Resource', [])
effect = statement.get('Effect', 'Unknown')
if isinstance(actions, str):
actions = [actions]
if isinstance(resources, str):
resources = [resources]
# Detect wildcard actions for S3 (e.g., s3:*)
for action in actions:
if action.lower().startswith("s3:") and "*" in action:
issues.append(" Wildcard permission detected: s3:*")
# Detect overly broad 'Allow' with wildcard resource
if effect == "Allow" and any(r == "*" for r in resources):
issues.append(" Overly broad resource access detected ('*').")
return issues if issues else [" Policy is secure!"]