| agent: |
NrtTvBhAuJFoRByE2nWnIAM Policy Compliance Check for Overly Permissive Statements
IAM Policy Compliance Check for Overly Permissive Statements
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.
The workflow involves identifying and flagging any customer-managed IAM policy statements that include 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. Such statements are considered overly permissive and are marked as NON_COMPLIANT. If the policy statement does not meet these criteria, it is marked as COMPLIANT. This process ensures that IAM policies adhere to security best practices by avoiding unrestricted access permissions.
inputs
outputs
- 1hwHhOX8E2BrT43hskEdFIdentify and flag any customer managed IAM policy statement includes 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*' then the rule is NON_COMPLIANT otherwise COMPLIANT.
1
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.The script checks IAM policies for non-compliant statements and tabulates the results.inputsoutputs1- 1.1xbTLCPeJjT4yg1x5GIG2List all customer managed IAM policies in the AWS region us-east-2.
1.1
List all customer managed IAM policies in the AWS region us-east-2.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.The script lists all customer managed IAM policies in the specified AWS region.inputsoutputsimport boto3 import json # Initialize IAM client with credentials iam_client = boto3.client( 'iam', region_name='us-east-2', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY') ) # List all customer managed policies response = iam_client.list_policies(Scope='Local') # Extract policy names policies = [policy['PolicyName'] for policy in response['Policies']] # Print the list of policies print(json.dumps(policies, indent=4))copied1.1 - 1.2gK9VsxxFLxIQQKswKWwDFor each IAM policy, retrieve and analyze the policy statements to identify any statement with 'Effect': 'Allow', 'Action': '*', and 'Resource': '*'.
1.2
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.The script retrieves and analyzes IAM policy statements to identify non-compliant policies with 'Effect': 'Allow', 'Action': '*', and 'Resource': '*'.inputsoutputsimport boto3 import json # Initialize IAM client with credentials iam_client = boto3.client( 'iam', region_name='us-east-2', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY') ) # List all customer managed policies response = iam_client.list_policies(Scope='Local') # Initialize compliance results dictionary compliance_results = {} # Iterate over each policy for policy in response['Policies']: policy_arn = policy['Arn'] policy_name = policy['PolicyName'] # Get policy version policy_version = iam_client.get_policy(PolicyArn=policy_arn)['Policy']['DefaultVersionId'] # Get policy document policy_document = iam_client.get_policy_version(PolicyArn=policy_arn, VersionId=policy_version)['PolicyVersion']['Document'] # Check each statement in the policy is_compliant = True for statement in policy_document.get('Statement', []): if (statement.get('Effect') == 'Allow' and statement.get('Action') == '*' and statement.get('Resource') == '*'): is_compliant = False break # Record compliance status compliance_results[policy_name] = 'NON_COMPLIANT' if not is_compliant else 'COMPLIANT' # Print the compliance results print(json.dumps(compliance_results, indent=4))copied1.2 - 1.3MQ9SuY8K5Q6B890dwskkFlag policies with such statements as NON_COMPLIANT and others as COMPLIANT.
1.3
Flag policies with such statements as NON_COMPLIANT and others as COMPLIANT.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.The script flags IAM policies with overly permissive statements as NON_COMPLIANT and others as COMPLIANT.inputsoutputsimport boto3 import json # Initialize IAM client with credentials iam_client = boto3.client( 'iam', region_name='us-east-2', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY') ) # List all customer managed policies response = iam_client.list_policies(Scope='Local') # Initialize compliance results dictionary compliance_results = {} # Iterate over each policy for policy in response['Policies']: policy_arn = policy['Arn'] policy_name = policy['PolicyName'] # Get policy version policy_version = iam_client.get_policy(PolicyArn=policy_arn)['Policy']['DefaultVersionId'] # Get policy document policy_document = iam_client.get_policy_version(PolicyArn=policy_arn, VersionId=policy_version)['PolicyVersion']['Document'] # Check each statement in the policy is_compliant = True for statement in policy_document.get('Statement', []): if (statement.get('Effect') == 'Allow' and statement.get('Action') == '*' and statement.get('Resource') == '*'): is_compliant = False break # Record compliance status compliance_results[policy_name] = 'NON_COMPLIANT' if not is_compliant else 'COMPLIANT' # Print the compliance results print(json.dumps(compliance_results, indent=4))copied1.3 - 1.4J0QXhZO45jad9S3ZGcfJTabulate the compliance results of the IAM policies.
1.4
Tabulate the compliance results of the IAM policies.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.The script tabulates the compliance results of IAM policies.inputsoutputsimport json # Compliance results from previous task compliance_results = { "AmazonEKS_EBS_CSI_Driver_Policy": "COMPLIANT", "dev-ecs-execution-policy-4698": "COMPLIANT", "AmazonSageMakerExecutionRoleForBedrockMarketplace_A5PKCFPHJ3Spolicy": "COMPLIANT", "eks-dev-396-alb-ingress": "COMPLIANT", "ci-ecs-execution-policy": "COMPLIANT", "eks-policy-prod-1525": "COMPLIANT", "akitra-reqd-permissions-part1": "COMPLIANT", "AllowAssumeRole-AWSServiceRoleForECS": "COMPLIANT", "khai_test_ssm_exec": "COMPLIANT", "eks-dev-396-cluster-ClusterEncryption20230825100453184500000014": "COMPLIANT", "AWSLambdaBasicExecutionRole-6fb2b237-cebe-4b0c-907a-18689d2a8c21": "COMPLIANT", "cluster-autoscaler-irsa-cluster-autoscaler": "COMPLIANT", "ecr-full-access": "COMPLIANT", "dev-controller-task-policy-4698": "COMPLIANT", "AmazonSageMakerExecutionRoleForBedrockMarketplace_5QBGRVH1WPYpolicy": "COMPLIANT", "AWSLambdaBasicExecutionRole-897ccca8-f1f7-4d45-bcae-509e5e0df4bf": "COMPLIANT", "ES-Policy": "COMPLIANT", "EC2StopInstancePolicy": "COMPLIANT", "CodeBuildBasePolicy-ci-codebuild-jenkins-codebuild-us-east-2": "COMPLIANT", "ecr-readonly": "COMPLIANT", "eks-prod-341-alb-ingress": "COMPLIANT", "BedrockInvokeModel": "COMPLIANT", "eks-dev-396-efs-csi-driver": "COMPLIANT", "eks-policy-dev-4698": "COMPLIANT", "prod-ecs-execution-policy-1525": "COMPLIANT", "TestAWSFullPolicy": "COMPLIANT", "aws-dag-sandbox-policy": "COMPLIANT", "AWSLambdaBasicExecutionRole-eb8ab677-e621-4773-9897-5bcc7e016166": "COMPLIANT", "eks-prod-341-efs-csi-driver": "COMPLIANT", "AmazonEKSReadOnlyAccess": "COMPLIANT", "eks-prod-341-cluster-ClusterEncryption2023091822371825660000001e": "COMPLIANT", "prod-controller-task-policy-1525": "COMPLIANT", "ci-controller-task-policy": "COMPLIANT", "ci-codebuild-jenkins-codebuild": "COMPLIANT", "all_eks_policy": "COMPLIANT", "AWSLambdaBasicExecutionRole-386a38d6-24d9-4bb3-9005-c48f010caa8f": "COMPLIANT", "InvokeModelPolicy": "COMPLIANT" } # Create a table to tabulate the compliance results table = context.newtable() table.num_rows = len(compliance_results) + 1 # +1 for header table.num_cols = 2 # Set table title and header table.title = "IAM Policy Compliance Results" table.has_header_row = True table.setval(0, 0, "Policy Name") table.setval(0, 1, "Compliance Status") # Populate the table with compliance results row = 1 for policy_name, status in compliance_results.items(): table.setval(row, 0, policy_name) table.setval(row, 1, status) row += 1 print("Compliance results have been tabulated successfully.")copied1.4