cloudsplaining 0.6.1__tar.gz → 0.6.3__tar.gz

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cloudsplaining
-Version: 0.6.1
+Version: 0.6.3
 Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 Home-page: https://github.com/salesforce/cloudsplaining
 Author: Kinnaird McQuade
@@ -11,7 +11,9 @@ Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
 Project-URL: Code, https://github.com/salesforce/cloudsplaining/
 Project-URL: Twitter, https://twitter.com/kmcquade3
 Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
-Description: Cloudsplaining
+Description: ## NOTE: This repo/project has been restored by Salesforce.
+        
+        Cloudsplaining
         --------------
         
         Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
@@ -20,7 +22,9 @@ Description: Cloudsplaining
         [![Documentation Status](https://readthedocs.org/projects/cloudsplaining/badge/?version=latest)](https://cloudsplaining.readthedocs.io/en/latest/?badge=latest)
         [![Join the chat at https://gitter.im/cloudsplaining](https://badges.gitter.im/cloudsplaining.svg)](https://gitter.im/cloudsplaining?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
         [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/kmcquade3.svg?style=social&label=Follow%20the%20author)](https://twitter.com/kmcquade3)
-        [![Downloads](https://pepy.tech/badge/cloudsplaining)](https://pepy.tech/project/cloudsplaining)
+        [![PyPI](https://img.shields.io/pypi/v/cloudsplaining)](https://pypi.org/project/cloudsplaining)
+        [![Python Version](https://img.shields.io/pypi/pyversions/cloudsplaining)](#)
+        [![Downloads](https://static.pepy.tech/badge/cloudsplaining)](https://pepy.tech/project/cloudsplaining)
         
         * [Example report](https://opensource.salesforce.com/cloudsplaining/)
         
@@ -397,7 +401,13 @@ Description: Cloudsplaining
         
 Keywords: aws iam roles policy policies privileges security
 Platform: UNKNOWN
-Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Requires-Python: >=3.6

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/README.md

@@ -1,3 +1,5 @@
+## NOTE: This repo/project has been restored by Salesforce.
+
 Cloudsplaining
 --------------
 
@@ -7,7 +9,9 @@ Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations
 [![Documentation Status](https://readthedocs.org/projects/cloudsplaining/badge/?version=latest)](https://cloudsplaining.readthedocs.io/en/latest/?badge=latest)
 [![Join the chat at https://gitter.im/cloudsplaining](https://badges.gitter.im/cloudsplaining.svg)](https://gitter.im/cloudsplaining?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/kmcquade3.svg?style=social&label=Follow%20the%20author)](https://twitter.com/kmcquade3)
-[![Downloads](https://pepy.tech/badge/cloudsplaining)](https://pepy.tech/project/cloudsplaining)
+[![PyPI](https://img.shields.io/pypi/v/cloudsplaining)](https://pypi.org/project/cloudsplaining)
+[![Python Version](https://img.shields.io/pypi/pyversions/cloudsplaining)](#)
+[![Downloads](https://static.pepy.tech/badge/cloudsplaining)](https://pepy.tech/project/cloudsplaining)
 
 * [Example report](https://opensource.salesforce.com/cloudsplaining/)
 

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = '0.6.1'
+__version__ = '0.6.3'

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/assume_role_policy_document.py

@@ -4,23 +4,31 @@
 # Licensed under the BSD 3-Clause license.
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
+from __future__ import annotations
+
 import logging
 from typing import Dict, Any, List
 
+from cloudsplaining.scan.resource_policy_document import (
+    ResourcePolicyDocument,
+    ResourceStatement,
+)
 from cloudsplaining.shared.constants import SERVICE_PREFIXES_WITH_COMPUTE_ROLES
 
 logger = logging.getLogger(__name__)
 
 
-class AssumeRolePolicyDocument:
-    """
-    Holds the AssumeRole/Trust Policy document
+class AssumeRolePolicyDocument(ResourcePolicyDocument):
+    """Holds the AssumeRole/Trust Policy document
+
+    It is a specialized version of a Resource-based policy
     """
 
-    def __init__(self, policy: Dict[str, Any]) -> None:
+    def __init__(self, policy: dict[str, Any]) -> None:
         statement_structure = policy.get("Statement", [])
         self.policy = policy
-        self.statements = []
+        # We would actually need to define a proper base class with a generic type for statements
+        self.statements: list[AssumeRoleStatement] = []  # type:ignore[assignment]
         # leaving here but excluding from tests because IAM Policy grammar dictates that it must be a list
         if not isinstance(statement_structure, list):  # pragma: no cover
             statement_structure = [statement_structure]
@@ -28,11 +36,6 @@ class AssumeRolePolicyDocument:
         for statement in statement_structure:
             self.statements.append(AssumeRoleStatement(statement))
 
-    @property
-    def json(self) -> Dict[str, Any]:
-        """Return the AssumeRole Policy in JSON"""
-        return self.policy
-
     @property
     def role_assumable_by_compute_services(self) -> List[str]:
         """Determines whether or not the role is assumed from a compute service, and if so which ones."""
@@ -45,17 +48,13 @@ class AssumeRolePolicyDocument:
         return assumable_by_compute_services
 
 
-class AssumeRoleStatement:
+class AssumeRoleStatement(ResourceStatement):
     """
     Statements in an AssumeRole/Trust Policy document
     """
 
     def __init__(self, statement: Dict[str, Any]) -> None:
-        self.json = statement
-        self.statement = statement
-        self.effect = statement["Effect"]
-        self.actions = self._assume_role_actions()
-        self.principals = self._principals()
+        super().__init__(statement=statement)
 
         # self.not_principal = statement.get("NotPrincipal")
         if statement.get("NotPrincipal"):
@@ -76,49 +75,6 @@ class AssumeRoleStatement:
 
         return [actions]
 
-    def _principals(self) -> List[str]:
-        """Extracts all principals from IAM statement.
-        Should handle these cases:
-        "Principal": "value"
-        "Principal": ["value"]
-        "Principal": { "AWS": "value" }
-        "Principal": { "AWS": ["value", "value"] }
-        "Principal": { "Federated": "value" }
-        "Principal": { "Federated": ["value", "value"] }
-        "Principal": { "Service": "value" }
-        "Principal": { "Service": ["value", "value"] }
-        Return: Set of principals
-        """
-        principals: List[str] = []
-        principal = self.statement.get("Principal", None)
-        if not principal:
-            # It is possible not to define a principal, AWS ignores these statements.
-            return principals  # pragma: no cover
-
-        if isinstance(principal, dict):
-
-            if "AWS" in principal:
-                if isinstance(principal["AWS"], list):
-                    principals.extend(principal["AWS"])
-                else:
-                    principals.append(principal["AWS"])
-
-            if "Federated" in principal:
-                if isinstance(principal["Federated"], list):
-                    principals.extend(principal["Federated"])
-                else:
-                    principals.append(principal["Federated"])
-
-            if "Service" in principal:
-                if isinstance(principal["Service"], list):
-                    principals.extend(principal["Service"])
-                else:
-                    principals.append(principal["Service"])
-        else:
-            principals.append(principal)
-        # principals = list(principals).sort()
-        return principals
-
     @property
     def role_assumable_by_compute_services(self) -> List[str]:
         """Determines whether or not the role is assumed from a compute service, and if so which ones."""

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/authorization_details.py

@@ -110,7 +110,7 @@ class AuthorizationDetails:
         return results
 
     @property
-    def links(self) -> Dict[str, str]:
+    def links(self) -> Dict[str, str | None]:
         """Return a dictionary of the action names as keys and their API documentation links as values"""
         results = {}
         unique_action_names = set()

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/group_details.py

@@ -2,11 +2,14 @@
 from __future__ import annotations
 
 import json
+import logging
 from typing import Optional, Dict, Any, List
 
 from cloudsplaining.scan.inline_policy import InlinePolicy
 from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
 from cloudsplaining.scan.statement_detail import StatementDetail
+from cloudsplaining.shared import utils
+from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.utils import (
     is_aws_managed,
     get_full_policy_path,
@@ -184,12 +187,15 @@ class GroupDetail:
                     or exclusions.is_policy_excluded(get_full_policy_path(arn))
                     or exclusions.is_policy_excluded(get_policy_name(arn))
                 ):
-                    attached_managed_policy_details = policy_details.get_policy_detail(
-                        arn
-                    )
-                    self.attached_managed_policies.append(
-                        attached_managed_policy_details
-                    )
+                    try:
+                        attached_managed_policy_details = (
+                            policy_details.get_policy_detail(arn)
+                        )
+                        self.attached_managed_policies.append(
+                            attached_managed_policy_details
+                        )
+                    except NotFoundException as e:
+                        utils.print_red(f"\tError in group {self.group_name}: {e}")
 
         self.iam_data: Dict[str, Dict[Any, Any]] = {
             "groups": {},

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/managed_policy_detail.py

@@ -11,6 +11,7 @@ from typing import Dict, Any, List
 
 from policy_sentry.util.arns import get_account_from_arn
 from cloudsplaining.scan.policy_document import PolicyDocument
+from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.utils import get_full_policy_path, is_aws_managed
 from cloudsplaining.shared.constants import ISSUE_SEVERITY, RISK_DEFINITION
 from cloudsplaining.shared.exclusions import (
@@ -95,7 +96,7 @@ class ManagedPolicyDetails:
         for policy_detail in self.policy_details:
             if policy_detail.arn == arn:
                 return policy_detail
-        raise Exception("Managed Policy ARN %s not found.", arn)
+        raise NotFoundException(f"Managed Policy ARN {arn} not found.")
 
     @property
     def all_infrastructure_modification_actions(self) -> List[str]:
@@ -246,7 +247,7 @@ class ManagedPolicy:
         if is_aws_managed(self.arn):
             return "N/A"
         else:
-            return get_account_from_arn(self.arn)  # type: ignore
+            return get_account_from_arn(self.arn)
 
     def getFindingLinks(self, findings: List[Dict[str, Any]]) -> Dict[Any, str]:
         links = {}

cloudsplaining-0.6.3/cloudsplaining/scan/resource_policy_document.py

@@ -0,0 +1,260 @@
+"""Represents the Resource-based policy"""
+from __future__ import annotations
+
+import logging
+import re
+from typing import Any
+
+from policy_sentry.util.arns import ARN
+
+
+CONDITION_KEY_CATEGORIES = {
+    "aws:sourcearn": "arn",
+    "aws:principalarn": "arn",
+    "aws:sourceowner": "account",
+    "aws:sourceaccount": "account",
+    "aws:principalaccount": "account",
+    "aws:principalorgid": "organization",
+    "aws:principalorgpaths": "organization",
+    "kms:calleraccount": "account",
+    "aws:userid": "userid",
+    "aws:sourceip": "cidr",
+    "aws:sourcevpc": "vpc",
+    "aws:sourcevpce": "vpce",
+    # a key for SAML Federation trust policy.
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html
+    "saml:aud": "saml-endpoint",
+}
+RELEVANT_CONDITION_OPERATORS_PATTERN = re.compile(
+    "((ForAllValues|ForAnyValue):)?(ARN(Equals|Like)|String(Equals|Like)(IgnoreCase)?|IpAddress)(IfExists)?",
+    re.IGNORECASE,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class ResourcePolicyDocument:
+    """Holds the Resource Policy document"""
+
+    def __init__(self, policy: dict[str, Any]) -> None:
+        statement_structure = policy.get("Statement", [])
+        self.policy = policy
+        self.statements = []
+        # leaving here but excluding from tests because IAM Policy grammar dictates that it must be a list
+        if not isinstance(statement_structure, list):  # pragma: no cover
+            statement_structure = [statement_structure]
+
+        for statement in statement_structure:
+            self.statements.append(ResourceStatement(statement))
+
+    @property
+    def json(self) -> dict[str, Any]:
+        """Return the Resource Policy in JSON"""
+        return self.policy
+
+    @property
+    def internet_accessible_actions(self) -> list[str]:
+        result = []
+        for statement in self.statements:
+            actions = statement.internet_accessible_actions
+            if actions:
+                result.extend(actions)
+
+        return result
+
+
+class ResourceStatement:
+    """Statements in a Resource Policy document"""
+
+    def __init__(self, statement: dict[str, Any]) -> None:
+        self.json = statement
+        self.statement = statement
+        self.effect = statement["Effect"]
+        self.actions = self._actions()
+        self.principals = self._principals()
+        self.conditions = self._conditions()
+
+    def _actions(self) -> list[str]:
+        """Extracts all actions"""
+        actions = self.statement.get("Action", [])
+        if not actions:
+            return []
+
+        if isinstance(actions, list):
+            return actions
+
+        return [actions]
+
+    def _principals(self) -> list[str]:
+        """Extracts all principals from IAM statement.
+        Should handle these cases:
+        "Principal": "value"
+        "Principal": ["value"]
+        "Principal": { "AWS": "value" }
+        "Principal": { "AWS": ["value", "value"] }
+        "Principal": { "Federated": "value" }
+        "Principal": { "Federated": ["value", "value"] }
+        "Principal": { "Service": "value" }
+        "Principal": { "Service": ["value", "value"] }
+        Return: Set of principals
+        """
+        principals: list[str] = []
+        principal = self.statement.get("Principal", None)
+        if not principal:
+            # It is possible not to define a principal, AWS ignores these statements.
+            return principals  # pragma: no cover
+
+        if isinstance(principal, dict):
+            if "AWS" in principal:
+                if isinstance(principal["AWS"], list):
+                    principals.extend(principal["AWS"])
+                else:
+                    principals.append(principal["AWS"])
+
+            if "Federated" in principal:
+                if isinstance(principal["Federated"], list):
+                    principals.extend(principal["Federated"])
+                else:
+                    principals.append(principal["Federated"])
+
+            if "Service" in principal:
+                if isinstance(principal["Service"], list):
+                    principals.extend(principal["Service"])
+                else:
+                    principals.append(principal["Service"])
+        else:
+            principals.append(principal)
+
+        return principals
+
+    # Adapted version of policyuniverse's _condition_entries, here:
+    # https://github.com/Netflix-Skunkworks/policyuniverse/blob/master/policyuniverse/statement.py#L146
+    def _conditions(self) -> list[tuple[str, Any]]:
+        """Extracts any ARNs, Account Numbers, UserIDs, Usernames, CIDRs, VPCs, and VPC Endpoints from a condition block.
+
+        Ignores any negated condition operators like StringNotLike.
+        Ignores weak condition keys like referer, date, etc.
+
+        Reason: A condition is meant to limit the principal in a statement.  Often, resource policies use a wildcard principal
+        and rely exclusively on the Condition block to limit access.
+
+        We would want to alert if the Condition had no limitations (like a non-existent Condition block), or very weak
+        limitations.  Any negation would be weak, and largely equivelant to having no condition block whatsoever.
+
+        The alerting code that relies on this data must ensure the condition has at least one of the following:
+        - A limiting ARN
+        - Account Identifier
+        - AWS Organization Principal Org ID
+        - User ID
+        - Source IP / CIDR
+        - VPC
+        - VPC Endpoint
+
+        https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
+        """
+
+        conditions: list[tuple[str, Any]] = []
+        condition = self.statement.get("Condition")
+        if not condition:
+            return conditions
+
+        for condition_operator, condition_context in condition.items():
+            if RELEVANT_CONDITION_OPERATORS_PATTERN.match(condition_operator):
+                for key, value in condition_context.items():
+                    key_lower = key.lower()
+                    if key_lower in CONDITION_KEY_CATEGORIES:
+                        if isinstance(value, list):
+                            conditions.extend(
+                                (CONDITION_KEY_CATEGORIES[key_lower], v) for v in value
+                            )
+                        else:
+                            conditions.append(
+                                (CONDITION_KEY_CATEGORIES[key_lower], value)
+                            )
+
+        return conditions
+
+    @property
+    def internet_accessible_actions(self) -> list[str]:
+        """Determines whether the actions can be used by everyone"""
+
+        # compared to policyuniverse's implementation,
+        # there is no need to check for the existence of 'NotPrincipal',
+        # because it is not support with self.effect == "Allow"
+        if self.effect == "Deny":
+            return []
+
+        for entry in self.conditions:
+            if self._is_condition_entry_internet_accessible(entry=entry):
+                return self.actions
+
+        if self.conditions:
+            # this means we have conditions, but they protect the policy to be accessible by everyone
+            return []
+
+        for principal in self.principals:
+            if self._arn_internet_accessible(arn=principal):
+                return self.actions
+
+        return []
+
+    # Adapted version of policyuniverse's _is_condition_entry_internet_accessible and the called methods, here:
+    # https://github.com/Netflix-Skunkworks/policyuniverse/blob/master/policyuniverse/statement.py#L301
+    # and onwards
+    def _is_condition_entry_internet_accessible(self, entry: tuple[str, Any]) -> bool:
+        category, condition_value = entry
+
+        if category == "arn":
+            return self._arn_internet_accessible(arn=condition_value)
+        elif category == "cidr":
+            return self._cidr_internet_accessible(cidr=condition_value)
+        elif category == "organization":
+            return self._organization_internet_accessible(org=condition_value)
+        elif category == "userid":
+            return self._userid_internet_accessible(userid=condition_value)
+
+        return "*" in condition_value
+
+    def _arn_internet_accessible(self, arn: str) -> bool:
+        if "*" == arn:
+            return True
+
+        if not arn.startswith("arn:"):
+            # probably an account ID or AWS service
+            return False
+
+        try:
+            parsed_arn = ARN(provided_arn=arn)
+        except Exception:
+            logger.info(f"ARN {arn} is not parsable")
+            return "*" in arn
+
+        if parsed_arn.service_prefix == "s3":
+            # S3 ARNs don't have account numbers
+            return False
+
+        if not parsed_arn.account and not parsed_arn.service_prefix:
+            logger.info(f"ARN {arn} is not valid")
+            return True
+
+        if parsed_arn.account == "*":
+            return True
+
+        return False
+
+    def _cidr_internet_accessible(self, cidr: str) -> bool:
+        return cidr.endswith("/0")
+
+    def _organization_internet_accessible(self, org: str) -> bool:
+        if "o-*" in org:
+            return True
+        return False
+
+    def _userid_internet_accessible(self, userid: str) -> bool:
+        # Trailing wildcards are okay for user IDs:
+        # AROAIIIIIIIIIIIIIIIII:*
+        if userid.find("*") == len(userid) - 1:
+            # note: this will also return False for a zero-length userid
+            return False
+        return True

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/role_details.py

@@ -9,6 +9,8 @@ from cloudsplaining.scan.assume_role_policy_document import AssumeRolePolicyDocu
 from cloudsplaining.scan.inline_policy import InlinePolicy
 from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
 from cloudsplaining.scan.statement_detail import StatementDetail
+from cloudsplaining.shared import utils
+from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.utils import (
     is_aws_managed,
     get_full_policy_path,
@@ -214,12 +216,15 @@ class RoleDetail:
                     or exclusions.is_policy_excluded(get_full_policy_path(arn))
                     or exclusions.is_policy_excluded(get_policy_name(arn))
                 ):
-                    attached_managed_policy_details = policy_details.get_policy_detail(
-                        arn
-                    )
-                    self.attached_managed_policies.append(
-                        attached_managed_policy_details
-                    )
+                    try:
+                        attached_managed_policy_details = (
+                            policy_details.get_policy_detail(arn)
+                        )
+                        self.attached_managed_policies.append(
+                            attached_managed_policy_details
+                        )
+                    except NotFoundException as e:
+                        utils.print_red(f"\tError in role {self.role_name}: {e}")
 
     def set_iam_data(self, iam_data: Dict[str, Dict[Any, Any]]) -> None:
         self.iam_data = iam_data

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/statement_detail.py

@@ -4,7 +4,7 @@ from typing import Dict, Any, List, Optional
 
 from cached_property import cached_property
 
-from policy_sentry.analysis.analyze import determine_actions_to_expand
+from policy_sentry.analysis.expand import determine_actions_to_expand
 from policy_sentry.querying.actions import (
     remove_actions_not_matching_access_level,
     get_actions_matching_arn,
@@ -33,7 +33,12 @@ class StatementDetail:
     Analyzes individual statements within a policy
     """
 
-    def __init__(self, statement: Dict[str, Any], flag_conditional_statements: bool = False, flag_resource_arn_statements: bool = False) -> None:
+    def __init__(
+        self,
+        statement: Dict[str, Any],
+        flag_conditional_statements: bool = False,
+        flag_resource_arn_statements: bool = False,
+    ) -> None:
         self.json = statement
         self.statement = statement
         self.effect = statement["Effect"]
@@ -78,7 +83,8 @@ class StatementDetail:
 
     def _not_action(self) -> List[str]:
         """Holds the NotAction details.
-        We won't do anything with it - but we will flag it as something for the assessor to triage."""
+        We won't do anything with it - but we will flag it as something for the assessor to triage.
+        """
         not_action = self.statement.get("NotAction")
         if not not_action:
             return []
@@ -88,7 +94,8 @@ class StatementDetail:
 
     def _not_resource(self) -> List[str]:
         """Holds the NotResource details.
-        We won't do anything with it - but we will flag it as something for the assessor to triage."""
+        We won't do anything with it - but we will flag it as something for the assessor to triage.
+        """
         not_resource = self.statement.get("NotResource")
         if not not_resource:
             return []
@@ -98,7 +105,7 @@ class StatementDetail:
 
     # @property
     def _not_action_effective_actions(self) -> Optional[List[str]]:
-        """If NotAction is used, calculate the allowed actions - i.e., what it would be """
+        """If NotAction is used, calculate the allowed actions - i.e., what it would be"""
         effective_actions = []
         if not self.not_action:
             return None
@@ -149,7 +156,8 @@ class StatementDetail:
     @property
     def has_not_resource_with_allow(self) -> bool:
         """Per the AWS documentation, the NotResource should NEVER be used with the Allow Effect.
-        See documentation here. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html#notresource-element-combinations"""
+        See documentation here. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html#notresource-element-combinations
+        """
         if self.not_resource and self.effect_allow:
             logger.warning(
                 "Per the AWS documentation, the NotResource should never be used with the "
@@ -198,9 +206,8 @@ class StatementDetail:
         do not have resource constraints"""
         result = []
         if (
-            (not self.has_resource_constraints or self.flag_resource_arn_statements) and
-             not self.has_condition
-        ):
+            not self.has_resource_constraints or self.flag_resource_arn_statements
+        ) and not self.has_condition:
             result = remove_actions_not_matching_access_level(
                 self.restrictable_actions, "Permissions management"
             )
@@ -213,9 +220,8 @@ class StatementDetail:
         do not have resource constraints"""
         result = []
         if (
-            (not self.has_resource_constraints or self.flag_resource_arn_statements) and
-             not self.has_condition
-        ):
+            not self.has_resource_constraints or self.flag_resource_arn_statements
+        ) and not self.has_condition:
             result = remove_actions_not_matching_access_level(
                 self.restrictable_actions, "Write"
             )

{cloudsplaining-0.6.1 → cloudsplaining-0.6.3}/cloudsplaining/scan/user_details.py

@@ -8,6 +8,8 @@ from cloudsplaining.scan.group_details import GroupDetailList, GroupDetail
 from cloudsplaining.scan.inline_policy import InlinePolicy
 from cloudsplaining.scan.managed_policy_detail import ManagedPolicyDetails
 from cloudsplaining.scan.statement_detail import StatementDetail
+from cloudsplaining.shared import utils
+from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.utils import (
     is_aws_managed,
     get_full_policy_path,
@@ -197,12 +199,15 @@ class UserDetail:
                     or exclusions.is_policy_excluded(get_full_policy_path(arn))
                     or exclusions.is_policy_excluded(get_policy_name(arn))
                 ):
-                    attached_managed_policy_details = policy_details.get_policy_detail(
-                        arn
-                    )
-                    self.attached_managed_policies.append(
-                        attached_managed_policy_details
-                    )
+                    try:
+                        attached_managed_policy_details = (
+                            policy_details.get_policy_detail(arn)
+                        )
+                        self.attached_managed_policies.append(
+                            attached_managed_policy_details
+                        )
+                    except NotFoundException as e:
+                        utils.print_red(f"\tError in user {self.user_name}: {e}")
 
     def set_iam_data(self, iam_data: Dict[str, Dict[Any, Any]]) -> None:
         self.iam_data = iam_data