cloudsplaining 0.8.0__tar.gz → 0.8.1__tar.gz

{cloudsplaining-0.8.0/cloudsplaining.egg-info → cloudsplaining-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cloudsplaining
-Version: 0.8.0
+Version: 0.8.1
 Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 Home-page: https://github.com/salesforce/cloudsplaining
 Author: Kinnaird McQuade
@@ -21,7 +21,7 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
-Requires-Python: >=3.8
+Requires-Python: >=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.8.0"
+__version__ = "0.8.1"

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/command/create_exclusions_file.py

@@ -41,8 +41,8 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     set_log_level(verbosity)
 
     with open(output_file, "a", encoding="utf-8") as file_obj:
-        for line in EXCLUSIONS_TEMPLATE:
-            file_obj.write(line)
+        file_obj.write(EXCLUSIONS_TEMPLATE)
+
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")
     print(
         "Make sure you download your account authorization details before running the scan."

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/command/create_multi_account_config_file.py

@@ -47,8 +47,8 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
         os.remove(output_file)
 
     with open(output_file, "a", encoding="utf-8") as file_obj:
-        for line in MULTI_ACCOUNT_CONFIG_TEMPLATE:
-            file_obj.write(line)
+        file_obj.write(MULTI_ACCOUNT_CONFIG_TEMPLATE)
+
     utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
     print(
         f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/command/scan.py

@@ -96,6 +96,14 @@ from cloudsplaining.shared.validation import check_authorization_details_schema
     multiple=True,
     type=click.Choice(["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"], case_sensitive=False),
 )
+@click.option(
+    "-t",
+    "--flag-trust-policies",
+    required=False,
+    default=False,
+    is_flag=True,
+    help="Flag risky trust policies in roles.",
+)
 def scan(
     input_file: str,
     exclusions_file: str,
@@ -105,6 +113,7 @@ def scan(
     flag_all_risky_actions: bool,
     verbosity: int,
     severity: list[str],
+    flag_trust_policies: bool,
 ) -> None:  # pragma: no cover
     """
     Given the path to account authorization details files and the exclusions config file, scan all inline and
@@ -142,6 +151,7 @@ def scan(
             minimize=minimize,
             flag_conditional_statements=flag_conditional_statements,
             flag_resource_arn_statements=flag_resource_arn_statements,
+            flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
         html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
@@ -207,6 +217,7 @@ def scan_account_authorization_details(
     return_json_results: Literal[True],
     flag_conditional_statements: bool = ...,
     flag_resource_arn_statements: bool = ...,
+    flag_trust_policies: bool = ...,
     severity: list[str] | None = ...,
 ) -> dict[str, Any]: ...
 
@@ -222,6 +233,7 @@ def scan_account_authorization_details(
     return_json_results: Literal[False] = ...,
     flag_conditional_statements: bool = ...,
     flag_resource_arn_statements: bool = ...,
+    flag_trust_policies: bool = ...,
     severity: list[str] | None = ...,
 ) -> str: ...
 
@@ -236,6 +248,7 @@ def scan_account_authorization_details(
     return_json_results: bool = False,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
     severity: list[str] | None = None,
 ) -> str | dict[str, Any]:  # pragma: no cover
     """
@@ -250,6 +263,7 @@ def scan_account_authorization_details(
         exclusions=exclusions,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
         severity=severity,
     )
     results = authorization_details.results

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/command/scan_multi_account.py

@@ -120,6 +120,14 @@ class MultiAccountConfig:
     multiple=True,
     type=click.Choice(["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"], case_sensitive=False),
 )
+@click.option(
+    "-t",
+    "--flag-trust-policies",
+    required=False,
+    default=False,
+    is_flag=True,
+    help="Flag risky trust policies in roles.",
+)
 def scan_multi_account(
     config_file: str,
     profile: str,
@@ -131,6 +139,7 @@ def scan_multi_account(
     flag_all_risky_actions: bool,
     verbosity: int,
     severity: list[str],
+    flag_trust_policies: bool,
 ) -> None:
     """Scan multiple accounts via AssumeRole"""
     set_log_level(verbosity)
@@ -160,6 +169,7 @@ def scan_multi_account(
         severity=severity,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
     )
 
 
@@ -174,6 +184,7 @@ def scan_accounts(
     severity: list[str] | None = None,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
 ) -> None:
     """Use this method as a library to scan multiple accounts"""
     # TODO: Speed improvements? Multithreading? This currently runs sequentially.
@@ -187,6 +198,7 @@ def scan_accounts(
             severity=severity,
             flag_conditional_statements=flag_conditional_statements,
             flag_resource_arn_statements=flag_resource_arn_statements,
+            flag_trust_policies=flag_trust_policies,
         )
         html_report = HTMLReport(
             account_id=target_account_id,
@@ -233,6 +245,7 @@ def scan_account(
     severity: list[str] | None = None,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
 ) -> dict[str, dict[str, Any]]:
     """Scan a target account in one shot"""
     account_authorization_details = download_account_authorization_details(
@@ -247,6 +260,7 @@ def scan_account(
         severity=severity,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
     )
     results = authorization_details.results
     return results

cloudsplaining-0.8.1/cloudsplaining/scan/assume_role_policy_document.py

@@ -0,0 +1,209 @@
+"""Represents the AssumeRole Trust Policy. This is mainly used for identifying whether roles are assumable via AWS compute services."""
+
+# Copyright (c) 2020, salesforce.com, inc.
+# All rights reserved.
+# Licensed under the BSD 3-Clause license.
+# For full license text, see the LICENSE file in the repo root
+# or https://opensource.org/licenses/BSD-3-Clause
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+from cloudsplaining.scan.resource_policy_document import (
+    ResourcePolicyDocument,
+    ResourceStatement,
+)
+from cloudsplaining.shared.constants import SERVICE_PREFIXES_WITH_COMPUTE_ROLES
+from cloudsplaining.shared.exclusions import (
+    DEFAULT_EXCLUSIONS,
+    Exclusions,
+)
+from cloudsplaining.shared.utils import get_account_id_from_principal
+
+logger = logging.getLogger(__name__)
+
+
+class AssumeRolePolicyDocument(ResourcePolicyDocument):
+    """Holds the AssumeRole/Trust Policy document
+
+    It is a specialized version of a Resource-based policy
+    """
+
+    def __init__(
+        self,
+        policy: dict[str, Any],
+        current_account_id: str | None = None,
+        exclusions: Exclusions = DEFAULT_EXCLUSIONS,
+    ) -> None:
+        statement_structure = policy.get("Statement", [])
+        self.policy = policy
+        self.current_account_id = current_account_id
+        # We would actually need to define a proper base class with a generic type for statements
+        self.statements: list[AssumeRoleStatement] = []  # type:ignore[assignment]
+        self.exclusions = exclusions
+        # leaving here but excluding from tests because IAM Policy grammar dictates that it must be a list
+        if not isinstance(statement_structure, list):  # pragma: no cover
+            statement_structure = [statement_structure]
+
+        for statement in statement_structure:
+            self.statements.append(AssumeRoleStatement(statement, current_account_id, exclusions))
+
+    @property
+    def role_assumable_by_compute_services(self) -> list[str]:
+        """Determines whether or not the role is assumed from a compute service, and if so which ones."""
+        return [
+            principal
+            for statement in self.statements
+            if statement.role_assumable_by_compute_services
+            for principal in statement.role_assumable_by_compute_services
+        ]
+
+    @property
+    def role_assumable_by_cross_account_principals(self) -> list[str]:
+        """Determines whether or not the role can be assumed from principals in other accounts, and if so which ones."""
+        return [
+            principal
+            for statement in self.statements
+            if statement.role_assumable_by_cross_account_principals
+            for principal in statement.role_assumable_by_cross_account_principals
+        ]
+
+    @property
+    def role_assumable_by_any_principal(self) -> list[str]:
+        """Determines whether or not the role can be assumed by any principal (*) or any AWS account root."""
+        return [
+            principal
+            for statement in self.statements
+            if statement.role_assumable_by_any_principal
+            for principal in statement.role_assumable_by_any_principal
+        ]
+
+    @property
+    def role_assumable_by_any_principal_with_conditions(self) -> list[str]:
+        """Determines whether or not the role can be assumed by any principal (*) or any AWS account root with conditions."""
+        return [
+            principal
+            for statement in self.statements
+            if statement.role_assumable_by_any_principal_with_conditions
+            for principal in statement.role_assumable_by_any_principal_with_conditions
+        ]
+
+
+class AssumeRoleStatement(ResourceStatement):
+    """
+    Statements in an AssumeRole/Trust Policy document
+    """
+
+    def __init__(
+        self,
+        statement: dict[str, Any],
+        current_account_id: str | None = None,
+        exclusions: Exclusions = DEFAULT_EXCLUSIONS,
+    ) -> None:
+        super().__init__(statement=statement)
+        self.current_account_id = current_account_id
+        self.exclusions = exclusions
+
+        # self.not_principal = statement.get("NotPrincipal")
+        if statement.get("NotPrincipal"):
+            logger.critical(  # pragma: no cover
+                "NotPrincipal is used in the IAM AssumeRole Trust Policy. "
+                "This should NOT be used. We suggest reviewing it ASAP."
+            )
+
+    def _assume_role_actions(self) -> list[str]:
+        """Verifies that this is limited to just sts:AssumeRole"""
+        actions = self.statement.get("Action", [])
+        if not actions:
+            logger.debug("The AssumeRole Policy has no actions in it.")
+            return []
+
+        if isinstance(actions, list):
+            return actions
+
+        return [actions]
+
+    @property
+    def role_assumable_by_compute_services(self) -> list[str]:
+        """Determines whether or not the role is assumed from a compute service, and if so which ones."""
+        # sts:AssumeRole must be there
+        lowercase_actions = [x.lower() for x in self.actions]
+        if "sts:AssumeRole".lower() not in lowercase_actions:
+            return []
+
+        # Effect must be Allow
+        if self.effect.lower() != "allow":
+            return []
+
+        assumable_by_compute_services = []
+        for principal in self.principals:
+            if principal.endswith(".amazonaws.com"):
+                service_prefix_to_evaluate = principal.split(".")[0]
+                if service_prefix_to_evaluate in SERVICE_PREFIXES_WITH_COMPUTE_ROLES:
+                    assumable_by_compute_services.append(service_prefix_to_evaluate)
+        return assumable_by_compute_services
+
+    @property
+    def role_assumable_by_cross_account_principals(self) -> list[str]:
+        """Determines whether or not the role can be assumed from principals in other accounts, and if so which ones."""
+        # sts:AssumeRole must be there
+        lowercase_actions = [x.lower() for x in self.actions]
+        if "sts:AssumeRole".lower() not in lowercase_actions:
+            return []
+
+        # Effect must be Allow
+        if self.effect.lower() != "allow":
+            return []
+
+        return [
+            principal
+            for principal in self.principals
+            if (principal_account_id := get_account_id_from_principal(principal))
+            and (self.current_account_id is None or principal_account_id != self.current_account_id)
+            and principal_account_id not in self.exclusions.known_accounts
+        ]
+
+    @property
+    def role_assumable_by_any_principal(self) -> list[str]:
+        """Determines whether or not the role can be assumed by any principal (*) or any AWS account root."""
+        # sts:AssumeRole must be there
+        lowercase_actions = [x.lower() for x in self.actions]
+        if "sts:AssumeRole".lower() not in lowercase_actions:
+            return []
+
+        # Effect must be Allow
+        if self.effect.lower() != "allow":
+            return []
+
+        # Must have no conditions
+        if self.statement.get("Condition"):
+            return []
+
+        # Check if any principal is "*" or "arn:aws:iam::*:root"
+        any_principals = [
+            principal for principal in self.principals if principal == "*" or principal == "arn:aws:iam::*:root"
+        ]
+        return any_principals
+
+    @property
+    def role_assumable_by_any_principal_with_conditions(self) -> list[str]:
+        """Determines whether or not the role can be assumed by any principal (*) or any AWS account root with conditions."""
+        # sts:AssumeRole must be there
+        lowercase_actions = [x.lower() for x in self.actions]
+        if "sts:AssumeRole".lower() not in lowercase_actions:
+            return []
+
+        # Effect must be Allow
+        if self.effect.lower() != "allow":
+            return []
+
+        # Must have conditions (opposite of role_assumable_by_any_principal)
+        if not self.statement.get("Condition"):
+            return []
+
+        # Check if any principal is "*" or "arn:aws:iam::*:root"
+        any_principals = [
+            principal for principal in self.principals if principal == "*" or principal == "arn:aws:iam::*:root"
+        ]
+        return any_principals

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/scan/authorization_details.py

@@ -35,6 +35,7 @@ class AuthorizationDetails:
         exclusions: Exclusions = DEFAULT_EXCLUSIONS,
         flag_conditional_statements: bool = False,
         flag_resource_arn_statements: bool = False,
+        flag_trust_policies: bool = False,
         severity: list[str] | None = None,
     ) -> None:
         """
@@ -53,6 +54,7 @@ class AuthorizationDetails:
         self.exclusions = exclusions
         self.flag_conditional_statements = flag_conditional_statements
         self.flag_resource_arn_statements = flag_resource_arn_statements
+        self.flag_trust_policies = flag_trust_policies
 
         self.policies = ManagedPolicyDetails(
             auth_json.get("Policies", []),
@@ -86,6 +88,7 @@ class AuthorizationDetails:
             exclusions,
             flag_conditional_statements=flag_conditional_statements,
             flag_resource_arn_statements=flag_resource_arn_statements,
+            flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/scan/inline_policy.py

@@ -70,7 +70,7 @@ class InlinePolicy:
         links = {}
         for finding in findings:
             links[finding["type"]] = (
-                f'https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/#{finding["type"]}'
+                f"https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/#{finding['type']}"
             )
         return links
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/scan/managed_policy_detail.py

@@ -244,7 +244,7 @@ class ManagedPolicy:
         links = {}
         for finding in findings:
             links[finding["type"]] = (
-                f'https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/#{finding["type"]}'
+                f"https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/#{finding['type']}"
             )
         return links
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/scan/role_details.py

@@ -2,13 +2,17 @@
 
 from __future__ import annotations
 
+import contextlib
 import json
 import logging
 from typing import TYPE_CHECKING, Any
 
+from policy_sentry.util.arns import get_account_from_arn
+
 from cloudsplaining.scan.assume_role_policy_document import AssumeRolePolicyDocument
 from cloudsplaining.scan.inline_policy import InlinePolicy
 from cloudsplaining.shared import utils
+from cloudsplaining.shared.constants import ISSUE_SEVERITY, RISK_DEFINITION
 from cloudsplaining.shared.exceptions import NotFoundException
 from cloudsplaining.shared.exclusions import (
     DEFAULT_EXCLUSIONS,
@@ -39,6 +43,7 @@ class RoleDetailList:
         exclusions: Exclusions = DEFAULT_EXCLUSIONS,
         flag_conditional_statements: bool = False,
         flag_resource_arn_statements: bool = False,
+        flag_trust_policies: bool = False,
         severity: list[str] | None = None,
     ) -> None:
         self.severity = [] if severity is None else severity
@@ -50,6 +55,7 @@ class RoleDetailList:
         # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
         self.flag_conditional_statements = flag_conditional_statements
         self.flag_resource_arn_statements = flag_resource_arn_statements
+        self.flag_trust_policies = flag_trust_policies
         self.iam_data: dict[str, dict[Any, Any]] = {
             "groups": {},
             "users": {},
@@ -73,6 +79,7 @@ class RoleDetailList:
                         exclusions=exclusions,
                         flag_conditional_statements=self.flag_conditional_statements,
                         flag_resource_arn_statements=self.flag_resource_arn_statements,
+                        flag_trust_policies=flag_trust_policies,
                         severity=self.severity,
                     )
                 )
@@ -138,6 +145,7 @@ class RoleDetail:
         exclusions: Exclusions = DEFAULT_EXCLUSIONS,
         flag_conditional_statements: bool = False,
         flag_resource_arn_statements: bool = False,
+        flag_trust_policies: bool = False,
         severity: list[str] | None = None,
     ) -> None:
         """
@@ -147,6 +155,7 @@ class RoleDetail:
         :param policy_details: The ManagedPolicyDetails object - i.e., details about all managed policies in the account
         so the role can inherit those attributes
         """
+        self.severity = [] if severity is None else severity
         # Metadata
         self.path = role_detail["Path"]
         self.role_name = role_detail["RoleName"]
@@ -165,6 +174,7 @@ class RoleDetail:
         # Fix Issue #254 - Allow flagging risky actions even when there are resource constraints
         self.flag_conditional_statements = flag_conditional_statements
         self.flag_resource_arn_statements = flag_resource_arn_statements
+        self.flag_trust_policies = flag_trust_policies
 
         self.iam_data: dict[str, dict[Any, Any]] = {
             "groups": {},
@@ -176,7 +186,16 @@ class RoleDetail:
         self.assume_role_policy_document = None
         assume_role_policy = role_detail.get("AssumeRolePolicyDocument")
         if assume_role_policy:
-            self.assume_role_policy_document = AssumeRolePolicyDocument(assume_role_policy)
+            # Extract current account ID from role ARN
+            current_account_id = None
+            if self.arn:
+                with contextlib.suppress(Exception):
+                    # If we can't parse the account ID, continue without it
+                    current_account_id = get_account_from_arn(self.arn)
+
+            self.assume_role_policy_document = AssumeRolePolicyDocument(
+                assume_role_policy, current_account_id, exclusions
+            )
 
         # TODO: Create a class for InstanceProfileList
         self.instance_profile_list = role_detail.get("InstanceProfileList", [])
@@ -331,4 +350,54 @@ class RoleDetail:
             aws_managed_policies=self.attached_aws_managed_policies_pointer_json,
             is_excluded=self.is_excluded,
         )
+
+        if self.flag_trust_policies:
+            severities = {x.lower() for x in self.severity}
+            this_role_detail.update(
+                {
+                    "AssumableByComputeServices": {
+                        "severity": ISSUE_SEVERITY["AssumableByComputeService"],
+                        "description": RISK_DEFINITION["AssumableByComputeService"],
+                        "findings": (
+                            self.assume_role_policy_document.role_assumable_by_compute_services
+                            if self.assume_role_policy_document
+                            and (ISSUE_SEVERITY["AssumableByComputeService"] in severities or not self.severity)
+                            else []
+                        ),
+                    },
+                    "AssumableByCrossAccountPrincipal": {
+                        "severity": ISSUE_SEVERITY["AssumableByCrossAccountPrincipal"],
+                        "description": RISK_DEFINITION["AssumableByCrossAccountPrincipal"],
+                        "findings": (
+                            self.assume_role_policy_document.role_assumable_by_cross_account_principals
+                            if self.assume_role_policy_document
+                            and (ISSUE_SEVERITY["AssumableByCrossAccountPrincipal"] in severities or not self.severity)
+                            else []
+                        ),
+                    },
+                    "AssumableByAnyPrincipal": {
+                        "severity": ISSUE_SEVERITY["AssumableByAnyPrincipal"],
+                        "description": RISK_DEFINITION["AssumableByAnyPrincipal"],
+                        "findings": (
+                            self.assume_role_policy_document.role_assumable_by_any_principal
+                            if self.assume_role_policy_document
+                            and (ISSUE_SEVERITY["AssumableByAnyPrincipal"] in severities or not self.severity)
+                            else []
+                        ),
+                    },
+                    "AssumableByAnyPrincipalWithConditions": {
+                        "severity": ISSUE_SEVERITY["AssumableByAnyPrincipalWithConditions"],
+                        "description": RISK_DEFINITION["AssumableByAnyPrincipalWithConditions"],
+                        "findings": (
+                            self.assume_role_policy_document.role_assumable_by_any_principal_with_conditions
+                            if self.assume_role_policy_document
+                            and (
+                                ISSUE_SEVERITY["AssumableByAnyPrincipalWithConditions"] in severities
+                                or not self.severity
+                            )
+                            else []
+                        ),
+                    },
+                }
+            )
         return this_role_detail

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/scan/statement_detail.py

@@ -241,8 +241,7 @@ class StatementDetail:
         # Fix #390 - if flag_resource_arn_statements is True, then let's treat this as missing resource constraints so we can flag the action anyway.
         elif self.flag_resource_arn_statements:
             actions_missing_resource_constraints = self.restrictable_actions
-        else:
-            pass
+
         result = exclusions.get_allowed_actions(actions_missing_resource_constraints)
         result.sort()
         return result

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/shared/constants.py

@@ -54,6 +54,12 @@ include-actions:
 # Write actions to include from the results, such as kms:Decrypt
 exclude-actions:
   - ""
+# Known AWS Account IDs to exclude from assume role analysis.
+# Add your organization's account IDs and any thrid party vendor's
+# account IDs here to avoid false positives.
+# https://github.com/fwdcloudsec/known_aws_accounts/blob/main/accounts.yaml
+known-accounts:
+  - ""
 """
 
 MULTI_ACCOUNT_CONFIG_TEMPLATE = """accounts:
@@ -83,6 +89,9 @@ ISSUE_SEVERITY = {
     "CredentialsExposure": "high",
     "InfrastructureModification": "low",
     "AssumableByComputeService": "low",
+    "AssumableByCrossAccountPrincipal": "medium",
+    "AssumableByAnyPrincipal": "critical",
+    "AssumableByAnyPrincipalWithConditions": "medium",
 }
 
 RISK_DEFINITION = {
@@ -93,6 +102,9 @@ RISK_DEFINITION = {
     "CredentialsExposure": "<p>Credentials Exposure actions return credentials as part of the API response , such as ecr:GetAuthorizationToken, iam:UpdateAccessKey, and others. The full list is maintained here: https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a</p>",
     "InfrastructureModification": "",
     "AssumableByComputeService": "<p>IAM Roles can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda) can present greater risk than user-defined roles, especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios.<br>For example, if an attacker obtains privileges to execute <code>ssm:SendCommand</code> and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances.</p>",
+    "AssumableByCrossAccountPrincipal": "<p>IAM Roles that can be assumed from other AWS accounts can present a greater risk than roles that can only be assumed within the same AWS account. This is especially true if the trusting account is not owned by your organization.</p>",
+    "AssumableByAnyPrincipal": "<p>IAM Roles that can be assumed by any principal (i.e. Principal: '*') present a very high risk and should be remediated immediately.</p>",
+    "AssumableByAnyPrincipalWithConditions": "<p>IAM Roles that can be assumed by any principal (i.e. Principal: '*') but have conditions present can lead to unexpected outcomes. The conditions should be carefully reviewed to ensure they are not overly permissive.</p>",
 }
 
 PRIVILEGE_ESCALATION_METHODS = {

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/shared/default-exclusions.yml

@@ -31,4 +31,9 @@ include-actions:
 # Write actions to include from the results, such as kms:Decrypt
 exclude-actions:
   - ""
-
+# Known AWS Account IDs to exclude from assume role analysis.
+# Add your organization's account IDs and any thrid party vendor's
+# account IDs here to avoid false positives.
+# https://github.com/fwdcloudsec/known_aws_accounts/blob/main/accounts.yaml
+known-accounts:
+  - ""

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/shared/exclusions.py

@@ -28,6 +28,7 @@ class Exclusions:
         self.users = self._users()
         self.groups = self._groups()
         self.policies = self._policies()
+        self.known_accounts = self._known_accounts()
 
     def _roles(self) -> list[str]:
         provided_roles = self.config.get("roles", [])
@@ -65,6 +66,12 @@ class Exclusions:
         always_exclude_actions = [x.lower() for x in exclude_actions]
         return always_exclude_actions
 
+    def _known_accounts(self) -> set[str]:
+        provided_known_accounts = self.config.get("known-accounts", [])
+        # Normalize for comparisons - remove empty strings
+        known_accounts = {account for account in provided_known_accounts if account.strip()}
+        return known_accounts
+
     def is_action_always_included(self, action_in_question: str) -> bool | str:
         """
         Supply an IAM action, and get a decision about whether or not it is excluded.

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/shared/utils.py

@@ -7,6 +7,7 @@
 # or https://opensource.org/licenses/BSD-3-Clause
 from __future__ import annotations
 
+import contextlib
 import json
 import logging
 import os
@@ -20,6 +21,7 @@ from policy_sentry.querying.actions import (
     remove_actions_not_matching_access_level,
 )
 from policy_sentry.querying.all import get_all_service_prefixes
+from policy_sentry.util.arns import get_account_from_arn
 
 all_service_prefixes = get_all_service_prefixes()
 logger = logging.getLogger(__name__)
@@ -169,3 +171,15 @@ def write_json_to_file(file: str, content: str) -> None:
         os.remove(file)
 
     Path(file).write_text(json.dumps(content, indent=4, default=str), encoding="utf-8")
+
+
+def get_account_id_from_principal(principal: str) -> str | None:
+    """Return the AWS account ID for a principal ARN or bare 12-digit account identifier."""
+    principal_stripped = principal.strip()
+    if principal_stripped.startswith("arn:aws:iam::"):
+        with contextlib.suppress(Exception):
+            return get_account_from_arn(principal_stripped)
+        return None
+    if principal_stripped.isdigit() and len(principal_stripped) == 12:
+        return principal_stripped
+    return None

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/cloudsplaining/shared/validation.py

@@ -22,6 +22,7 @@ EXCLUSIONS_TEMPLATE_SCHEMA = Schema(
         Optional("groups"): [str],
         Optional("exclude-actions"): [str],
         Optional("include-actions"): [str],
+        Optional("known-accounts"): [str],
     }
 )
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1/cloudsplaining.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cloudsplaining
-Version: 0.8.0
+Version: 0.8.1
 Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 Home-page: https://github.com/salesforce/cloudsplaining
 Author: Kinnaird McQuade
@@ -21,7 +21,7 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
-Requires-Python: >=3.8
+Requires-Python: >=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 

{cloudsplaining-0.8.0 → cloudsplaining-0.8.1}/setup.py

@@ -68,5 +68,5 @@ setuptools.setup(
     entry_points={"console_scripts": "cloudsplaining=cloudsplaining.bin.cli:main"},
     zip_safe=True,
     keywords="aws iam roles policy policies privileges security",
-    python_requires=">=3.8",
+    python_requires=">=3.9",
 )

cloudsplaining-0.8.0/cloudsplaining/scan/assume_role_policy_document.py

@@ -1,91 +0,0 @@
-"""Represents the AssumeRole Trust Policy. This is mainly used for identifying whether roles are assumable via AWS compute services."""
-
-# Copyright (c) 2020, salesforce.com, inc.
-# All rights reserved.
-# Licensed under the BSD 3-Clause license.
-# For full license text, see the LICENSE file in the repo root
-# or https://opensource.org/licenses/BSD-3-Clause
-from __future__ import annotations
-
-import logging
-from typing import Any
-
-from cloudsplaining.scan.resource_policy_document import (
-    ResourcePolicyDocument,
-    ResourceStatement,
-)
-from cloudsplaining.shared.constants import SERVICE_PREFIXES_WITH_COMPUTE_ROLES
-
-logger = logging.getLogger(__name__)
-
-
-class AssumeRolePolicyDocument(ResourcePolicyDocument):
-    """Holds the AssumeRole/Trust Policy document
-
-    It is a specialized version of a Resource-based policy
-    """
-
-    def __init__(self, policy: dict[str, Any]) -> None:
-        statement_structure = policy.get("Statement", [])
-        self.policy = policy
-        # We would actually need to define a proper base class with a generic type for statements
-        self.statements: list[AssumeRoleStatement] = []  # type:ignore[assignment]
-        # leaving here but excluding from tests because IAM Policy grammar dictates that it must be a list
-        if not isinstance(statement_structure, list):  # pragma: no cover
-            statement_structure = [statement_structure]
-
-        for statement in statement_structure:
-            self.statements.append(AssumeRoleStatement(statement))
-
-    @property
-    def role_assumable_by_compute_services(self) -> list[str]:
-        """Determines whether or not the role is assumed from a compute service, and if so which ones."""
-        assumable_by_compute_services = []
-        for statement in self.statements:
-            if statement.role_assumable_by_compute_services:
-                assumable_by_compute_services.extend(statement.role_assumable_by_compute_services)
-        return assumable_by_compute_services
-
-
-class AssumeRoleStatement(ResourceStatement):
-    """
-    Statements in an AssumeRole/Trust Policy document
-    """
-
-    def __init__(self, statement: dict[str, Any]) -> None:
-        super().__init__(statement=statement)
-
-        # self.not_principal = statement.get("NotPrincipal")
-        if statement.get("NotPrincipal"):
-            logger.critical(  # pragma: no cover
-                "NotPrincipal is used in the IAM AssumeRole Trust Policy. "
-                "This should NOT be used. We suggest reviewing it ASAP."
-            )
-
-    def _assume_role_actions(self) -> list[str]:
-        """Verifies that this is limited to just sts:AssumeRole"""
-        actions = self.statement.get("Action", [])
-        if not actions:
-            logger.debug("The AssumeRole Policy has no actions in it.")
-            return []
-
-        if isinstance(actions, list):
-            return actions
-
-        return [actions]
-
-    @property
-    def role_assumable_by_compute_services(self) -> list[str]:
-        """Determines whether or not the role is assumed from a compute service, and if so which ones."""
-        # sts:AssumeRole must be there
-        lowercase_actions = [x.lower() for x in self.actions]
-        if "sts:AssumeRole".lower() not in lowercase_actions:
-            return []
-
-        assumable_by_compute_services = []
-        for principal in self.principals:
-            if principal.endswith(".amazonaws.com"):
-                service_prefix_to_evaluate = principal.split(".")[0]
-                if service_prefix_to_evaluate in SERVICE_PREFIXES_WITH_COMPUTE_ROLES:
-                    assumable_by_compute_services.append(service_prefix_to_evaluate)
-        return assumable_by_compute_services