cloudsplaining 0.8.0__tar.gz → 0.8.2__tar.gz

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cloudsplaining
-Version: 0.8.0
+Version: 0.8.2
 Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 Home-page: https://github.com/salesforce/cloudsplaining
 Author: Kinnaird McQuade
@@ -19,9 +19,10 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
-Requires-Python: >=3.8
+Requires-Python: >=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 
@@ -359,6 +360,47 @@ cloudsplaining scan-multi-account \
 
 > Note that if you run the above without the `--profile` flag, it will execute in the standard [AWS Credentials order of precedence](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) (i.e., Environment variables, credentials profiles, ECS container credentials, then finally EC2 Instance Profile credentials). 
 
+## Custom Guidance and Appendices
+
+Cloudsplaining supports customizing the Guidance and Appendices sections of the HTML report to include organization-specific security recommendations and documentation.
+
+### How It Works
+
+Place HTML files in your project root directory:
+
+- `custom-guidance.html` - Custom security guidance content
+- `custom-appendices.html` - Custom appendices content
+
+### Behavior
+
+- **Files don't exist**: Shows default AWS security advice
+- **Files exist with content**: Shows your custom HTML content
+- **Files exist but are empty**: Hides the tabs entirely
+- **Mixed configuration**: Each tab works independently
+
+### Example Usage
+
+```bash
+# Create custom guidance
+echo '<h1>Company Security Guidelines</h1>
+<p>Follow these organization-specific steps:</p>
+<ul>
+  <li>Review with security team</li>
+  <li>Document in JIRA ticket</li>
+  <li>Get approval before remediation</li>
+</ul>' > custom-guidance.html
+
+# Create custom appendices  
+echo '<h1>Internal Resources</h1>
+<p>Additional company resources:</p>
+<ul>
+  <li><a href="https://internal.company.com/security">Security Portal</a></li>
+  <li><a href="https://wiki.company.com/iam">IAM Best Practices</a></li>
+</ul>' > custom-appendices.html
+```
+
+# Generate report with custom content
+cloudsplaining scan --input-file account-data.json --output reports/
 
 ## Cheatsheet
 

cloudsplaining-0.8.0/cloudsplaining.egg-info/PKG-INFO → cloudsplaining-0.8.2/README.md

@@ -1,30 +1,3 @@
-Metadata-Version: 2.1
-Name: cloudsplaining
-Version: 0.8.0
-Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
-Home-page: https://github.com/salesforce/cloudsplaining
-Author: Kinnaird McQuade
-Author-email: kinnairdm@gmail.com
-License: UNKNOWN
-Project-URL: Documentation, https://policy-sentry.readthedocs.io/
-Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
-Project-URL: Code, https://github.com/salesforce/cloudsplaining/
-Project-URL: Twitter, https://twitter.com/kmcquade3
-Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
-Keywords: aws iam roles policy policies privileges security
-Platform: UNKNOWN
-Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.8
-Description-Content-Type: text/markdown
-License-File: LICENSE
-
 ## NOTE: This repo/project has been restored by Salesforce.
 
 Cloudsplaining
@@ -359,6 +332,47 @@ cloudsplaining scan-multi-account \
 
 > Note that if you run the above without the `--profile` flag, it will execute in the standard [AWS Credentials order of precedence](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) (i.e., Environment variables, credentials profiles, ECS container credentials, then finally EC2 Instance Profile credentials). 
 
+## Custom Guidance and Appendices
+
+Cloudsplaining supports customizing the Guidance and Appendices sections of the HTML report to include organization-specific security recommendations and documentation.
+
+### How It Works
+
+Place HTML files in your project root directory:
+
+- `custom-guidance.html` - Custom security guidance content
+- `custom-appendices.html` - Custom appendices content
+
+### Behavior
+
+- **Files don't exist**: Shows default AWS security advice
+- **Files exist with content**: Shows your custom HTML content
+- **Files exist but are empty**: Hides the tabs entirely
+- **Mixed configuration**: Each tab works independently
+
+### Example Usage
+
+```bash
+# Create custom guidance
+echo '<h1>Company Security Guidelines</h1>
+<p>Follow these organization-specific steps:</p>
+<ul>
+  <li>Review with security team</li>
+  <li>Document in JIRA ticket</li>
+  <li>Get approval before remediation</li>
+</ul>' > custom-guidance.html
+
+# Create custom appendices  
+echo '<h1>Internal Resources</h1>
+<p>Additional company resources:</p>
+<ul>
+  <li><a href="https://internal.company.com/security">Security Portal</a></li>
+  <li><a href="https://wiki.company.com/iam">IAM Best Practices</a></li>
+</ul>' > custom-appendices.html
+```
+
+# Generate report with custom content
+cloudsplaining scan --input-file account-data.json --output reports/
 
 ## Cheatsheet
 
@@ -412,5 +426,3 @@ Try upgrading to the latest version of Cloudsplaining. This error was fixed in v
 * [AWS Privilege Escalation Methods](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation) by [Spencer Gietzen](https://twitter.com/SpenGietz) at Rhino Security Labs
 * [Understanding Access Level Summaries within Policy Summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)
 * [Leveraging next-generation blockchain-based AI across multiple service meshes to transparently automate multi-cloud IAM wizardry :mage_man:](http://kmcquade.com/rick.html)
-
-

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.8.0"
+__version__ = "0.8.2"

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/cloudsplaining/command/create_exclusions_file.py

@@ -41,8 +41,8 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     set_log_level(verbosity)
 
     with open(output_file, "a", encoding="utf-8") as file_obj:
-        for line in EXCLUSIONS_TEMPLATE:
-            file_obj.write(line)
+        file_obj.write(EXCLUSIONS_TEMPLATE)
+
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")
     print(
         "Make sure you download your account authorization details before running the scan."

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/cloudsplaining/command/create_multi_account_config_file.py

@@ -47,8 +47,8 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
         os.remove(output_file)
 
     with open(output_file, "a", encoding="utf-8") as file_obj:
-        for line in MULTI_ACCOUNT_CONFIG_TEMPLATE:
-            file_obj.write(line)
+        file_obj.write(MULTI_ACCOUNT_CONFIG_TEMPLATE)
+
     utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
     print(
         f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/cloudsplaining/command/scan.py

@@ -96,6 +96,14 @@ from cloudsplaining.shared.validation import check_authorization_details_schema
     multiple=True,
     type=click.Choice(["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"], case_sensitive=False),
 )
+@click.option(
+    "-t",
+    "--flag-trust-policies",
+    required=False,
+    default=False,
+    is_flag=True,
+    help="Flag risky trust policies in roles.",
+)
 def scan(
     input_file: str,
     exclusions_file: str,
@@ -105,6 +113,7 @@ def scan(
     flag_all_risky_actions: bool,
     verbosity: int,
     severity: list[str],
+    flag_trust_policies: bool,
 ) -> None:  # pragma: no cover
     """
     Given the path to account authorization details files and the exclusions config file, scan all inline and
@@ -142,6 +151,7 @@ def scan(
             minimize=minimize,
             flag_conditional_statements=flag_conditional_statements,
             flag_resource_arn_statements=flag_resource_arn_statements,
+            flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
         html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
@@ -207,6 +217,7 @@ def scan_account_authorization_details(
     return_json_results: Literal[True],
     flag_conditional_statements: bool = ...,
     flag_resource_arn_statements: bool = ...,
+    flag_trust_policies: bool = ...,
     severity: list[str] | None = ...,
 ) -> dict[str, Any]: ...
 
@@ -222,6 +233,7 @@ def scan_account_authorization_details(
     return_json_results: Literal[False] = ...,
     flag_conditional_statements: bool = ...,
     flag_resource_arn_statements: bool = ...,
+    flag_trust_policies: bool = ...,
     severity: list[str] | None = ...,
 ) -> str: ...
 
@@ -236,6 +248,7 @@ def scan_account_authorization_details(
     return_json_results: bool = False,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
     severity: list[str] | None = None,
 ) -> str | dict[str, Any]:  # pragma: no cover
     """
@@ -250,6 +263,7 @@ def scan_account_authorization_details(
         exclusions=exclusions,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
         severity=severity,
     )
     results = authorization_details.results

{cloudsplaining-0.8.0 → cloudsplaining-0.8.2}/cloudsplaining/command/scan_multi_account.py

@@ -120,6 +120,14 @@ class MultiAccountConfig:
     multiple=True,
     type=click.Choice(["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"], case_sensitive=False),
 )
+@click.option(
+    "-t",
+    "--flag-trust-policies",
+    required=False,
+    default=False,
+    is_flag=True,
+    help="Flag risky trust policies in roles.",
+)
 def scan_multi_account(
     config_file: str,
     profile: str,
@@ -131,6 +139,7 @@ def scan_multi_account(
     flag_all_risky_actions: bool,
     verbosity: int,
     severity: list[str],
+    flag_trust_policies: bool,
 ) -> None:
     """Scan multiple accounts via AssumeRole"""
     set_log_level(verbosity)
@@ -160,6 +169,7 @@ def scan_multi_account(
         severity=severity,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
     )
 
 
@@ -174,6 +184,7 @@ def scan_accounts(
     severity: list[str] | None = None,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
 ) -> None:
     """Use this method as a library to scan multiple accounts"""
     # TODO: Speed improvements? Multithreading? This currently runs sequentially.
@@ -187,6 +198,7 @@ def scan_accounts(
             severity=severity,
             flag_conditional_statements=flag_conditional_statements,
             flag_resource_arn_statements=flag_resource_arn_statements,
+            flag_trust_policies=flag_trust_policies,
         )
         html_report = HTMLReport(
             account_id=target_account_id,
@@ -233,6 +245,7 @@ def scan_account(
     severity: list[str] | None = None,
     flag_conditional_statements: bool = False,
     flag_resource_arn_statements: bool = False,
+    flag_trust_policies: bool = False,
 ) -> dict[str, dict[str, Any]]:
     """Scan a target account in one shot"""
     account_authorization_details = download_account_authorization_details(
@@ -247,6 +260,7 @@ def scan_account(
         severity=severity,
         flag_conditional_statements=flag_conditional_statements,
         flag_resource_arn_statements=flag_resource_arn_statements,
+        flag_trust_policies=flag_trust_policies,
     )
     results = authorization_details.results
     return results