Merge pull request #38 from kmcquade/feat/add-principal-attachments-t…

…o-managed-policies-info Fix bug in Principals tab with risk count. Added "Attached to Principals" dropdown card.
salesforce · May 13, 2020 · 4019fbb · 4019fbb
2 parents eaa13b0 + f248343
commit 4019fbb
Show file tree

Hide file tree

Showing 9 changed files with 595 additions and 59 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@
 ## Unreleased
 * Docker
 
+## 0.1.1 (2020-05-12)
+* Bug fix: issue where "Data Exfiltration" count was showing up in the "Resource Exposure" count column in the IAM Principals tab
+* Added "Attached to Principals" dropdown card for Customer-Managed and AWS-Managed Policies
+
 ## 0.1.0 (2020-05-11)
 * Granular exclusions: Fixed issue where exclusions file was including dangling policies in the results (Fixes #33)
 * Changed IAM Principals table so that the principals can be sorted according to their risks. This will really help with pentesting

diff --git a/cloudsplaining/bin/cli.py b/cloudsplaining/bin/cli.py
@@ -7,7 +7,7 @@
 """
     Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
 """
-__version__ = "0.1.0"
+__version__ = "0.1.1"
 import click
 from cloudsplaining import command
 

diff --git a/cloudsplaining/command/scan.py b/cloudsplaining/command/scan.py
@@ -132,22 +132,36 @@ def scan_account_authorization_file(
         )
 
     principal_policy_mapping = authorization_details.principal_policy_mapping
+    # For the IAM Principals tab, add on risk stats per principal
     for principal_policy_entry in principal_policy_mapping:
-        for finding_result in results:
-            if (
-                principal_policy_entry.get("PolicyName").lower()
-                == finding_result.get("PolicyName").lower()
-            ):
-                principal_policy_entry["Actions"] = len(finding_result["Actions"])
+        for finding in results:
+            if principal_policy_entry.get("PolicyName").lower() == finding.get("PolicyName").lower():
+                principal_policy_entry["Actions"] = len(finding["Actions"])
                 principal_policy_entry["PrivilegeEscalation"] = len(
-                    finding_result["PrivilegeEscalation"]
+                    finding["PrivilegeEscalation"]
                 )
                 principal_policy_entry["DataExfiltrationActions"] = len(
-                    finding_result["DataExfiltrationActions"]
+                    finding["DataExfiltrationActions"]
                 )
                 principal_policy_entry["PermissionsManagementActions"] = len(
-                    finding_result["PermissionsManagementActions"]
+                    finding["PermissionsManagementActions"]
                 )
+                principal_name = principal_policy_entry["Principal"]
+                # Customer Managed Policies
+                if finding.get("Type") == "Policy" and finding.get("ManagedBy") == "Customer" and principal_policy_entry.get("Type") != "Policy":
+                    if "Principals" not in finding:
+                        finding["Principals"] = [principal_name]
+                    else:
+                        if principal_name not in finding["Principals"]:
+                            finding["Principals"].append(principal_name)
+
+                # AWS Managed Policies
+                if finding.get("Type") == "Policy" and finding.get("ManagedBy") == "AWS":
+                    if "Principals" not in finding:
+                        finding["Principals"] = [principal_name]
+                    else:
+                        if principal_name not in finding["Principals"]:
+                            finding["Principals"].append(principal_name)
 
     account_name = Path(input_file).stem
 

diff --git a/cloudsplaining/output/templates/analysis/aws-managed.html b/cloudsplaining/output/templates/analysis/aws-managed.html
@@ -19,6 +19,38 @@
         </div>
       </div>
     </div>
+      {% if "Principals" in finding %}
+        <div class="card">
+      <div class="card-header">
+        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-{{ t['results'].index(finding) }}" href="#card-element-aws-doc-principals{{ t['results'].index(finding) }}">Attached to Principals</a>
+      </div>
+      <div id="card-element-aws-doc-principals{{ t['results'].index(finding) }}" class="panel-collapse collapse">
+        <div class="card-body">
+<pre><code>
+{% for principal in finding["Principals"] %}
+- {{ principal }}{% endfor %}
+</code></pre>
+        </div>
+      </div>
+    </div>
+      <!--/attached to principals-->
+      {% endif %}
+      {% if "Members" in finding %}
+      <div class="card">
+      <div class="card-header">
+        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-{{ t['results'].index(finding) }}" href="#card-element-aws-doc-group-members{{ t['results'].index(finding) }}">Group Members</a>
+      </div>
+      <div id="card-element-aws-doc-group-members{{ t['results'].index(finding) }}" class="panel-collapse collapse">
+        <div class="card-body">
+<pre><code>
+{% for user in finding["Members"] %}
+- {{ user }}{% endfor %}
+</code></pre>
+        </div>
+      </div>
+    </div>
+      <!--/group members-->
+      {% endif %}
     <div class="card">
       <div class="card-header">
         <a class="card-link" data-toggle="collapse" data-parent="#card-aws-{{ t['results'].index(finding) }}" href="#card-element-aws-action{{ t['results'].index(finding) }}">Infrastructure Modification Actions</a>

diff --git a/cloudsplaining/output/templates/analysis/customer-managed.html b/cloudsplaining/output/templates/analysis/customer-managed.html
@@ -19,6 +19,22 @@
             </div>
          </div>
       </div>
+      {% if "Principals" in finding %}
+        <div class="card">
+      <div class="card-header">
+        <a class="card-link" data-toggle="collapse" data-parent="#card-customer-{{ t['results'].index(finding) }}" href="#card-element-customer-doc-principals{{ t['results'].index(finding) }}">Attached to Principals</a>
+      </div>
+      <div id="card-element-customer-doc-principals{{ t['results'].index(finding) }}" class="panel-collapse collapse">
+        <div class="card-body">
+<pre><code>
+{% for principal in finding["Principals"] %}
+- {{ principal }}{% endfor %}
+</code></pre>
+        </div>
+      </div>
+    </div>
+      <!--/attached to principals-->
+      {% endif %}
       <div class="card">
         <div class="card-header">
           <a class="card-link" data-toggle="collapse" data-parent="#card-customer-{{ t['results'].index(finding) }}" href="#card-element-customer-action{{ t['results'].index(finding) }}">Infrastructure Modification Actions</a>

diff --git a/cloudsplaining/output/templates/summary/iam-principals.html b/cloudsplaining/output/templates/summary/iam-principals.html
@@ -40,8 +40,8 @@
       <td>{{ principal["PolicyName"] }}</td>
       <td>{{ principal["Actions"] }}</td>
       <td>{{ principal["PrivilegeEscalation"] }}</td>
-      <td>{{ principal["DataExfiltrationActions"] }}</td>
       <td>{{ principal["PermissionsManagementActions"] }}</td>
+      <td>{{ principal["DataExfiltrationActions"] }}</td>
       <td>{% if principal["GroupMembership"] %}{% if principal["GroupMembership"]|length > 0 %}{% for group in principal["GroupMembership"] %}{{ group }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}{% endif %}</td>
     </tr>
   {% endfor %}