
Security News
New Website “Is It Really FOSS?” Tracks Transparency in Open Source Distribution Models
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.
This package provides classes to parse AWS IAM and Resource Policies.
Additionally, this package can expand wildcards in AWS Policies using permissions obtained from the AWS Policy Generator.
See the Service and Permissions data.
This package can also minify an AWS policy to help you stay under policy size limits. Avoid doing this if possible, as it creates ugly policies. 💩
pip install policyuniverse
from policyuniverse.arn import ARN
arn = ARN('arn:aws:iam::012345678910:role/SomeTestRoleForTesting')
assert arn.error == False
assert arn.tech == 'iam'
assert arn.region == '' # IAM is universal/global
assert arn.account_number == '012345678910'
assert arn.name == 'role/SomeTestRoleForTesting'
assert arn.partition == 'aws'
assert arn.root == False # Not the root ARN
assert arn.service == False # Not an AWS service like lambda.amazonaws.com
arn = ARN('012345678910')
assert arn.account_number == '012345678910'
arn = ARN('lambda.amazonaws.com')
assert arn.service == True
assert arn.tech == 'lambda'
# Two statements, both with conditions
policy05 = dict(
Version='2010-08-14',
Statement=[
dict(
Effect='Allow',
Principal='arn:aws:iam::012345678910:root',
Action=['s3:*'],
Resource='*',
Condition={
'IpAddress': {
'AWS:SourceIP': ['0.0.0.0/0']
}}),
dict(
Effect='Allow',
Principal='arn:aws:iam::*:role/Hello',
Action=['ec2:*'],
Resource='*',
Condition={
'StringLike': {
'AWS:SourceOwner': '012345678910'
}})
])
from policyuniverse.policy import Policy
from policyuniverse.statement import ConditionTuple, PrincipalTuple
policy = Policy(policy05)
assert policy.whos_allowed() == set([
PrincipalTuple(category='principal', value='arn:aws:iam::*:role/Hello'),
PrincipalTuple(category='principal', value='arn:aws:iam::012345678910:root'),
ConditionTuple(category='cidr', value='0.0.0.0/0'),
ConditionTuple(category='account', value='012345678910')
])
# The given policy is not internet accessible.
# The first statement is limited by the principal, and the condition is basically a no-op.
# The second statement has a wildcard principal, but uses the condition to lock it down.
assert policy.is_internet_accessible() == False
# An internet accessible policy:
policy01 = dict(
Version='2012-10-08',
Statement=dict(
Effect='Allow',
Principal='*',
Action=['rds:*'],
Resource='*',
Condition={
'IpAddress': {
'AWS:SourceIP': ['0.0.0.0/0']
}
}))
policy = Policy(policy01)
assert policy.is_internet_accessible() == True
assert policy.internet_accessible_actions() == set(['rds:*'])
A policy is simply a collection of statements.
statement12 = dict(
Effect='Allow',
Principal='*',
Action=['rds:*'],
Resource='*',
Condition={
'StringEquals': {
'AWS:SourceVPC': 'vpc-111111',
'AWS:Sourcevpce': 'vpce-111111',
'AWS:SourceOwner': '012345678910',
'AWS:SourceAccount': '012345678910'
},
'StringLike': {
'AWS:userid': 'AROAI1111111111111111:*'
},
'ARNLike': {
'AWS:SourceArn': 'arn:aws:iam::012345678910:role/Admin'
},
'IpAddressIfExists': {
'AWS:SourceIP': [
'123.45.67.89',
'10.0.7.0/24',
'172.16.0.0/16']
}
})
from policyuniverse.statement import Statement
from policyuniverse.statement import ConditionTuple, PrincipalTuple
statement = Statement(statement12)
assert statement.effect == 'Allow'
assert statement.actions == set(['rds:*'])
# rds:* expands out to ~88 individual permissions
assert len(statement.actions_expanded) == 88
assert statement.uses_not_principal() == False
assert statement.principals == set(['*'])
assert statement.condition_arns == set(['arn:aws:iam::012345678910:role/Admin'])
assert statement.condition_accounts == set(['012345678910'])
assert statement.condition_userids == set(['AROAI1111111111111111:*'])
assert statement.condition_cidrs == set(['10.0.7.0/24', '172.16.0.0/16', '123.45.67.89'])
assert statement.condition_vpcs == set(['vpc-111111'])
assert statement.condition_vpces == set(['vpce-111111'])
assert statement.is_internet_accessible() == False
assert statement.whos_allowed() == set([
PrincipalTuple(category='principal', value='*'),
ConditionTuple(category='cidr', value='123.45.67.89'),
ConditionTuple(category='account', value='012345678910'),
ConditionTuple(category='userid', value='AROAI1111111111111111:*'),
ConditionTuple(category='vpc', value='vpc-111111'),
ConditionTuple(category='arn', value='arn:aws:iam::012345678910:role/Admin'),
ConditionTuple(category='cidr', value='172.16.0.0/16'),
ConditionTuple(category='vpce', value='vpce-111111'),
ConditionTuple(category='cidr', value='10.0.7.0/24')])
policy = {
"Statement": [{
"Action": ["s3:put*", "sqs:get*", "sns:*"],
"Resource": "*",
"Effect": "Allow"
}]
}
from policyuniverse.policy import Policy
p = Policy(policy)
for k, v in p.action_summary().items():
print(k,v)
>>> ('s3', set([u'Write', u'Permissions', u'Tagging']))
>>> ('sqs', set([u'List']))
>>> ('sns', set([u'List', u'Read', u'Write', u'Permissions']))
Possible categories are Permissions
, Write
, Read
, Tagging
, and List
. This data can be used to summarize statements and policies and to look for sensitive permissions.
from policyuniverse.expander_minimizer import expand_policy
from policyuniverse.expander_minimizer import minimize_policy
policy = {
"Statement": [{
"Action": ["swf:res*"],
"Resource": "*",
"Effect": "Allow"
}]
}
expanded_policy = expand_policy(policy=policy)
>>> Start size: 131. End size: 286
print(expanded_policy == {
"Statement": [{
"Action": [
"swf:respondactivitytaskcanceled",
"swf:respondactivitytaskcompleted",
"swf:respondactivitytaskfailed",
"swf:responddecisiontaskcompleted"
],
"Resource": "*",
"Effect": "Allow"
}]
})
>>> True
minimized_policy = minimize_policy(policy=expanded_policy, minchars=3)
>>> Skipping prefix r because length of 1
>>> Skipping prefix re because length of 2
>>> Skipping prefix r because length of 1
>>> Skipping prefix re because length of 2
>>> Skipping prefix r because length of 1
>>> Skipping prefix re because length of 2
>>> Skipping prefix r because length of 1
>>> Skipping prefix re because length of 2
>>> Start size: 286. End size: 131
print(minimized_policy == policy)
>>> True
FAQs
Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.
We found that policyuniverse demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Security News
Astral unveils pyx, a Python-native package registry in beta, designed to speed installs, enhance security, and integrate deeply with uv.
Security News
The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.