Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from StyraInc/dynamic-policy-composition
Dynamic policy composition
- Loading branch information
Showing
21 changed files
with
438 additions
and
299 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# METADATA | ||
# description: | | ||
# Optional authorization policy to use for protecting the OPA REST API if | ||
# exposed on a public endpoint. | ||
# related_resources: | ||
# - description: OPA documentation on authentication and authorization | ||
# ref: https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization | ||
# | ||
package system.authz | ||
|
||
default allow = false | ||
|
||
# METADATA | ||
# description: | | ||
# See the README.md file contained in this repo for how to configure an AWS Secret to | ||
# use as a token for client connections. | ||
# | ||
allow { | ||
input.identity == "changeme" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# METADATA | ||
# scope: subpackages | ||
# organizations: | ||
# - Styra | ||
package aws |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package aws.ec2.securitygroup | ||
|
||
import future.keywords | ||
|
||
deny[msg] { | ||
input.resource.properties.SecurityGroupIngress[0].CidrIp == "0.0.0.0/0" | ||
|
||
msg := sprintf("Security Group cannot contain rules allow all destinations (0.0.0.0/0 or ::/0): %s", [input.resource.id]) | ||
} | ||
|
||
deny[msg] { | ||
input.resource.properties.SecurityGroupIngress[0].CidrIpv6 == "::/0" | ||
|
||
msg := sprintf("Security Group cannot contain rules allow all destinations (0.0.0.0/0 or ::/0): %s", [input.resource.id]) | ||
} |
28 changes: 9 additions & 19 deletions
28
...y-group-open-ingress/opa/test_policy.rego → ...2/security_group/security_group_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,45 +1,35 @@ | ||
package aws.sg.open_ingress.tests | ||
package aws.ec2.securitygroup_test | ||
|
||
import future.keywords | ||
|
||
import data.aws.sg.open_ingress.deny | ||
|
||
mock_create := { | ||
"action": "CREATE", | ||
"hook": "StyraOPA::SecurityGroup::Hook", | ||
"resource": { | ||
"id": "SecurityGroup", | ||
"name": "AWS::EC2::SecurityGroup", | ||
"properties": {}, | ||
"type": "AWS::EC2::SecurityGroup" | ||
} | ||
} | ||
import data.aws.ec2.securitygroup.deny | ||
|
||
with_properties(obj) = {"resource": {"properties": obj}} | ||
import data.test_helpers.assert_empty | ||
import data.test_helpers.create_with_properties | ||
|
||
test_deny_if_security_group_allows_all_destinations { | ||
inp := object.union(mock_create, with_properties({ | ||
inp := create_with_properties("AWS::EC2::SecurityGroup", "SecurityGroup", { | ||
"SecurityGroupIngress": [ | ||
{ | ||
"CidrIp": "0.0.0.0/0", | ||
"IpProtocol": "-1" | ||
} | ||
] | ||
})) | ||
}) | ||
|
||
deny["Security Group cannot contain rules allow all destinations (0.0.0.0/0 or ::/0): SecurityGroup"] with input as inp | ||
} | ||
|
||
test_allow_if_security_group_cidr_is_set { | ||
inp := object.union(mock_create, with_properties({ | ||
inp := create_with_properties("AWS::EC2::SecurityGroup", "SecurityGroup", { | ||
"SecurityGroupIngress": [ | ||
{ | ||
"CidrIp": "10.0.0.0/16", | ||
"IpProtocol": "-1" | ||
} | ||
] | ||
})) | ||
}) | ||
|
||
count(deny) == 0 with input as inp | ||
assert_empty(deny) with input as inp | ||
} | ||
|
32 changes: 10 additions & 22 deletions
32
...es/iam-principal-boundary/opa/policy.rego → policy/iam/role/role.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,46 +1,34 @@ | ||
package aws.iam | ||
package aws.iam.role | ||
|
||
import future.keywords | ||
|
||
excludedPrincipalPrefixes := ["excluded", "iam-excluded", "test-excluded-user"] | ||
|
||
deny[msg] { | ||
input.action in {"CREATE", "UPDATE"} | ||
iam_resource_type | ||
not excluded_principal_name | ||
not permission_boundary_exists | ||
|
||
msg := sprintf("PermissionsBoundary is not set for %s", [input.resource.id]) | ||
} | ||
excluded_principal_name { | ||
name := input.resource.properties.UserName | ||
some prefix in excludedPrincipalPrefixes | ||
startswith(name, prefix) | ||
} | ||
excluded_principal_name { | ||
name := input.resource.properties.RoleName | ||
some prefix in excludedPrincipalPrefixes | ||
startswith(name, prefix) | ||
} | ||
permission_boundary_exists { | ||
input.resource.properties.PermissionsBoundary | ||
} | ||
|
||
deny[msg] { | ||
input.action in {"CREATE", "UPDATE"} | ||
iam_resource_type | ||
not excluded_principal_name | ||
permission_boundary_exists | ||
not valid_permission_boundary | ||
|
||
msg := sprintf("PermissionsBoundary %s is not allowed for %s", [input.resource.properties.PermissionsBoundary, input.resource.id]) | ||
} | ||
iam_resource_type { | ||
input.resource.type == "AWS::IAM::Role" | ||
|
||
excluded_principal_name { | ||
name := input.resource.properties.RoleName | ||
some prefix in excludedPrincipalPrefixes | ||
startswith(name, prefix) | ||
} | ||
iam_resource_type { | ||
input.resource.type == "AWS::IAM::User" | ||
|
||
permission_boundary_exists { | ||
input.resource.properties.PermissionsBoundary | ||
} | ||
|
||
valid_permission_boundary { | ||
input.resource.properties.PermissionsBoundary == "arn:aws:iam::555555555555:policy/s3_deny_permissions_boundary" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package aws.iam.user | ||
|
||
import future.keywords | ||
|
||
excludedPrincipalPrefixes := ["excluded", "iam-excluded", "test-excluded-user"] | ||
|
||
deny[msg] { | ||
not excluded_principal_name | ||
not permission_boundary_exists | ||
|
||
msg := sprintf("PermissionsBoundary is not set for %s", [input.resource.id]) | ||
} | ||
|
||
deny[msg] { | ||
not excluded_principal_name | ||
permission_boundary_exists | ||
not valid_permission_boundary | ||
|
||
msg := sprintf("PermissionsBoundary %s is not allowed for %s", [input.resource.properties.PermissionsBoundary, input.resource.id]) | ||
} | ||
|
||
excluded_principal_name { | ||
name := input.resource.properties.UserName | ||
some prefix in excludedPrincipalPrefixes | ||
startswith(name, prefix) | ||
} | ||
|
||
permission_boundary_exists { | ||
input.resource.properties.PermissionsBoundary | ||
} | ||
|
||
valid_permission_boundary { | ||
input.resource.properties.PermissionsBoundary == "arn:aws:iam::555555555555:policy/s3_deny_permissions_boundary" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package aws.iam.user_test | ||
|
||
import future.keywords | ||
|
||
import data.aws.iam.user.deny | ||
|
||
import data.test_helpers.assert_empty | ||
import data.test_helpers.create_with_properties | ||
import data.test_helpers.with_properties | ||
|
||
mock_create := create_with_properties("AWS::IAM::User", "IAMUserTest", { | ||
"AssumeRolePolicyDocument": { | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Action": "sts:AssumeRole", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "codepipeline.amazonaws.com" | ||
} | ||
}] | ||
} | ||
}) | ||
|
||
test_deny_auto_generated_name_not_excluded { | ||
inp := object.union(mock_create, with_properties({ | ||
"RoleName": "iam-not-excluded-cfn-hooks-cfn-stack-1-fail-046693375555", | ||
"PermissionsBoundary": "arn:aws:iam::555555555555:policy/invalid_s3_deny_permissions_boundary" | ||
})) | ||
|
||
deny["PermissionsBoundary arn:aws:iam::555555555555:policy/invalid_s3_deny_permissions_boundary is not allowed for IAMUserTest"] with input as inp | ||
} | ||
|
||
test_deny_permission_boundary_not_set { | ||
inp := mock_create | ||
|
||
deny["PermissionsBoundary is not set for IAMUserTest"] with input as inp | ||
} | ||
|
||
test_allow_permission_boundary_included { | ||
inp := object.union(mock_create, with_properties({ | ||
"RoleName": "cfn-hooks-pass-046693375555", | ||
"PermissionsBoundary": "arn:aws:iam::555555555555:policy/s3_deny_permissions_boundary" | ||
})) | ||
|
||
assert_empty(deny) with input as inp | ||
} | ||
|
||
test_allow_user_name_excluded { | ||
inp := object.union(mock_create, with_properties({ | ||
"UserName": "excluded-cfn-hooks-stack1-046693375555" | ||
})) | ||
|
||
assert_empty(deny) with input as inp | ||
} |
Oops, something went wrong.