cloudsplaining 0.8.2__tar.gz → 0.9.1__tar.gz

{cloudsplaining-0.8.2/cloudsplaining.egg-info → cloudsplaining-0.9.1}/PKG-INFO

@@ -1,32 +1,37 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: cloudsplaining
-Version: 0.8.2
-Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
-Home-page: https://github.com/salesforce/cloudsplaining
+Version: 0.9.1
+Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report
+Keywords: aws,iam,roles,policy,policies,privileges,security
 Author: Kinnaird McQuade
-Author-email: kinnairdm@gmail.com
-License: UNKNOWN
-Project-URL: Documentation, https://policy-sentry.readthedocs.io/
-Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
-Project-URL: Code, https://github.com/salesforce/cloudsplaining/
-Project-URL: Twitter, https://twitter.com/kmcquade3
-Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
-Keywords: aws iam roles policy policies privileges security
-Platform: UNKNOWN
+Author-email: Kinnaird McQuade <kinnairdm@gmail.com>
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: Programming Language :: Python :: 3.14
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.9
+Classifier: Typing :: Typed
+Requires-Dist: boto3>=1.41.0,<2.0.0
+Requires-Dist: botocore>=1.41.0,<2.0.0
+Requires-Dist: click>=8.1.0,<9.0.0
+Requires-Dist: click-option-group>=0.5.9,<0.6.0
+Requires-Dist: jinja2>=3.1.0,<4.0.0
+Requires-Dist: policy-sentry>=0.15.0,<0.16.0
+Requires-Dist: pyyaml>=6.0.0,<7.0.0
+Requires-Dist: schema>=0.7.0,<0.8.0
+Requires-Python: >=3.10
+Project-URL: Homepage, https://github.com/salesforce/cloudsplaining
+Project-URL: Repository, https://github.com/salesforce/cloudsplaining
+Project-URL: Code, https://github.com/salesforce/cloudsplaining
+Project-URL: Documentation, https://cloudsplaining.readthedocs.io/
+Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
+Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
+Project-URL: Twitter, https://twitter.com/kmcquade3
 Description-Content-Type: text/markdown
-License-File: LICENSE
-
-## NOTE: This repo/project has been restored by Salesforce.
 
 Cloudsplaining
 --------------
@@ -55,13 +60,14 @@ For full documentation, please visit the [project on ReadTheDocs](https://clouds
 
 ## Overview
 
-Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
+Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
 
 It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction:
-* Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
-* Infrastructure Modification
-* Resource Exposure (the ability to modify resource-based policies)
-* Privilege Escalation (based on Rhino Security Labs research)
+* [Data Exfiltration](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
+* [Infrastructure Modification](https://cloudsplaining.readthedocs.io/en/latest/glossary/infrastructure-modification/)
+* [Resource Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/) (the ability to modify resource-based policies)
+* [Privilege Escalation](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/) (based on Pathfinding.cloud)
+* [Credentials Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)
 
 Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples.
 
@@ -108,7 +114,7 @@ Policy Sentry [makes it really easy to do this](https://github.com/salesforce/po
 
 That's why we wrote Cloudsplaining.
 
-Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
+Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
 
 ## Installation
 
@@ -454,5 +460,3 @@ Try upgrading to the latest version of Cloudsplaining. This error was fixed in v
 * [AWS Privilege Escalation Methods](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation) by [Spencer Gietzen](https://twitter.com/SpenGietz) at Rhino Security Labs
 * [Understanding Access Level Summaries within Policy Summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)
 * [Leveraging next-generation blockchain-based AI across multiple service meshes to transparently automate multi-cloud IAM wizardry :mage_man:](http://kmcquade.com/rick.html)
-
-

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/README.md

@@ -1,5 +1,3 @@
-## NOTE: This repo/project has been restored by Salesforce.
-
 Cloudsplaining
 --------------
 
@@ -27,13 +25,14 @@ For full documentation, please visit the [project on ReadTheDocs](https://clouds
 
 ## Overview
 
-Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
+Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
 
 It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction:
-* Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
-* Infrastructure Modification
-* Resource Exposure (the ability to modify resource-based policies)
-* Privilege Escalation (based on Rhino Security Labs research)
+* [Data Exfiltration](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
+* [Infrastructure Modification](https://cloudsplaining.readthedocs.io/en/latest/glossary/infrastructure-modification/)
+* [Resource Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/) (the ability to modify resource-based policies)
+* [Privilege Escalation](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/) (based on Pathfinding.cloud)
+* [Credentials Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)
 
 Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples.
 
@@ -80,7 +79,7 @@ Policy Sentry [makes it really easy to do this](https://github.com/salesforce/po
 
 That's why we wrote Cloudsplaining.
 
-Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
+Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
 
 ## Installation
 

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/__init__.py

@@ -1,4 +1,4 @@
-# pylint: disable=missing-module-docstring
+# ruff: noqa: RUF067
 from __future__ import annotations
 
 import logging

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/bin/cli.py

@@ -5,21 +5,28 @@
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 """
-Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
+Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
 """
 
 import click
 
 from cloudsplaining import command
 from cloudsplaining.bin.version import __version__
+from cloudsplaining.shared.exclusions import set_exclusion_output
 
 
 @click.group()
 @click.version_option(version=__version__)
-def cloudsplaining() -> None:
+@click.pass_context
+def cloudsplaining(ctx: click.Context) -> None:
     """
-    Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
+    Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
     """
+    # Surface exclusion-match messages on stdout for the CLI (historical behavior), then
+    # restore the prior value when the Click context tears down so an in-process CLI run
+    # does not leak printing state into later library use.
+    previous = set_exclusion_output(True)
+    ctx.call_on_close(lambda: set_exclusion_output(previous))
 
 
 cloudsplaining.add_command(command.create_exclusions_file.create_exclusions_file)
@@ -32,7 +39,7 @@ cloudsplaining.add_command(command.download.download)
 
 
 def main() -> None:
-    """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet."""
+    """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report."""
     cloudsplaining()
 
 

cloudsplaining-0.9.1/cloudsplaining/bin/version.py

@@ -0,0 +1,7 @@
+import importlib.metadata
+
+try:
+    __version__ = importlib.metadata.version("cloudsplaining")
+except Exception:
+    # needed for local dev
+    __version__ = "0.0.0"

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/create_exclusions_file.py

@@ -9,7 +9,7 @@ This way, users don't have to remember exactly how to phrase the yaml files, sin
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -21,14 +21,14 @@ logger = logging.getLogger(__name__)
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used as a custom exclusions template",
 )
 @click.option(
     "-o",
     "--output-file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "exclusions.yml"),
+    default=str(Path.cwd() / "exclusions.yml"),
     required=True,
     help="Relative path to output file where we want to store the exclusions template.",
 )
@@ -40,7 +40,7 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with Path(output_file).open("a", encoding="utf-8") as file_obj:
         file_obj.write(EXCLUSIONS_TEMPLATE)
 
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/create_multi_account_config_file.py

@@ -9,7 +9,7 @@ This way, users don't have to remember exactly how to phrase the yaml files, sin
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -23,7 +23,7 @@ END = "\033[0m"
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used for multi-account scanning",
 )
 @click.option(
@@ -31,7 +31,7 @@ END = "\033[0m"
     "--output-file",
     "output_file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "multi-account-config.yml"),
+    default=str(Path.cwd() / "multi-account-config.yml"),
     required=True,
     help="Relative path to output file where we want to store the multi account config template.",
 )
@@ -42,17 +42,16 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    if os.path.exists(output_file):
-        logger.debug("%s exists. Removing the file and replacing its contents.", output_file)
-        os.remove(output_file)
+    output_file_path = Path(output_file)
+    if output_file_path.exists():
+        logger.debug("%s exists. Removing the file and replacing its contents.", output_file_path)
+        output_file_path.unlink()
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with output_file_path.open("a", encoding="utf-8") as file_obj:
         file_obj.write(MULTI_ACCOUNT_CONFIG_TEMPLATE)
 
-    utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
+    utils.print_green(f"Success! Multi-account config file written to: {output_file_path}")
     print(
-        f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."
-    )
-    print(
-        f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {os.path.relpath(output_file)} -o ./"
+        f"\nMake sure you edit the {output_file_path} file and then run the scan-multi-account command, as shown below."
     )
+    print(f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {output_file_path} -o ./")

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/download.py

@@ -11,6 +11,7 @@ from __future__ import annotations
 import json
 import logging
 import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
 import boto3
@@ -20,7 +21,7 @@ from botocore.config import Config
 from cloudsplaining import set_log_level
 
 if TYPE_CHECKING:
-    from mypy_boto3_iam import IAMClient
+    from types_boto3_iam import IAMClient
 
 logger = logging.getLogger(__name__)
 
@@ -41,7 +42,7 @@ logger = logging.getLogger(__name__)
     "-o",
     "--output",
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Path to store the output. Defaults to current directory.",
 )
 @click.option(
@@ -61,14 +62,15 @@ def download(profile: str, output: str, include_non_default_policy_versions: boo
     default_region = "us-east-1"
     session_data = {"region_name": default_region}
 
+    output_path = Path(output)
     if profile:
         session_data["profile_name"] = profile
-        output_filename = os.path.join(output, f"{profile}.json")
+        output_filename = output_path / f"{profile}.json"
     else:
-        output_filename = os.path.join(output, "default.json")
+        output_filename = output_path / "default.json"
 
     results = get_account_authorization_details(session_data, include_non_default_policy_versions)
-    with open(output_filename, "w", encoding="utf-8") as f:
+    with output_filename.open("w", encoding="utf-8") as f:
         json.dump(results, f, indent=4, default=str)
     # output_filename.write_text(json.dumps(results, indent=4, default=str))
     print(f"Saved results to {output_filename}")
@@ -79,7 +81,7 @@ def get_account_authorization_details(
     session_data: dict[str, str], include_non_default_policy_versions: bool
 ) -> dict[str, list[Any]]:
     """Runs aws-iam-get-account-authorization-details"""
-    session = boto3.Session(**session_data)  # type:ignore[arg-type]
+    session = boto3.Session(**session_data)  # ty: ignore[invalid-argument-type]
     config = Config(connect_timeout=5, retries={"max_attempts": 10})
     iam_client: IAMClient = session.client("iam", config=config)
 

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/expand_policy.py

@@ -9,6 +9,7 @@ Expands the wildcards (*) on an IAM policy file so it is easier for a human to u
 # or https://opensource.org/licenses/BSD-3-Clause
 import json
 import logging
+from pathlib import Path
 
 import click
 from policy_sentry.analysis.expand import get_expanded_policy
@@ -33,7 +34,7 @@ def expand_policy(input_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(input_file, encoding="utf-8") as json_file:
+    with Path(input_file).open(encoding="utf-8") as json_file:
         logger.debug(f"Opening {input_file}")
         data = json.load(json_file)
         policy = get_expanded_policy(data)

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/scan.py

@@ -47,14 +47,14 @@ from cloudsplaining.shared.validation import check_authorization_details_schema
     help="A yaml file containing a list of policy names to exclude from the scan.",
     type=click.Path(exists=True),
     required=False,
-    default=EXCLUSIONS_FILE,
+    default=str(EXCLUSIONS_FILE),
 )
 @click.option(
     "-o",
     "--output",
     required=False,
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Output directory.",
 )
 @click.option(
@@ -123,7 +123,7 @@ def scan(
 
     if exclusions_file:
         # Get the exclusions configuration
-        with open(exclusions_file, encoding="utf-8") as yaml_file:
+        with Path(exclusions_file).open(encoding="utf-8") as yaml_file:
             try:
                 exclusions_cfg = yaml.safe_load(yaml_file)
             except yaml.YAMLError as exc:
@@ -139,14 +139,16 @@ def scan(
         flag_conditional_statements = False
         flag_resource_arn_statements = False
 
-    if os.path.isfile(input_file):
-        account_name = os.path.basename(input_file).split(".")[0]
-        account_authorization_details_cfg = json.loads(Path(input_file).read_text(encoding="utf-8"))
+    output_path = Path(output)
+    input_file_path = Path(input_file)
+    if input_file_path.is_file():
+        account_name = input_file_path.stem
+        account_authorization_details_cfg = json.loads(input_file_path.read_text(encoding="utf-8"))
         rendered_html_report = scan_account_authorization_details(
             account_authorization_details_cfg,
             exclusions,
             account_name,
-            output,
+            output_path,
             write_data_files=True,
             minimize=minimize,
             flag_conditional_statements=flag_conditional_statements,
@@ -154,52 +156,52 @@ def scan(
             flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
-        html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+        html_output_file = output_path / f"iam-report-{account_name}.html"
         logger.info("Saving the report to %s", html_output_file)
-        if os.path.exists(html_output_file):
-            os.remove(html_output_file)
+        if html_output_file.exists():
+            html_output_file.unlink()
 
-        Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+        html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
         print(f"Wrote HTML results to: {html_output_file}")
 
         # Open the report by default
         if not skip_open_report:
             print("Opening the HTML report")
-            url = f"file://{os.path.abspath(html_output_file)}"
+            url = f"file://{html_output_file.absolute()}"
             webbrowser.open(url, new=2)
 
-    if os.path.isdir(input_file):
+    if input_file_path.is_dir():
         logger.info("The path given is a directory. Scanning for account authorization files and generating report.")
-        input_files = get_authorization_files_in_directory(input_file)
+        input_files = get_authorization_files_in_directory(input_file_path)
         for file in input_files:
             logger.info(f"Scanning file: {file}")
             account_authorization_details_cfg = json.loads(Path(file).read_text(encoding="utf-8"))
 
-            account_name = os.path.basename(input_file).split(".")[0]
+            account_name = input_file_path.parent.stem
             # Scan the Account Authorization Details config
             rendered_html_report = scan_account_authorization_details(
                 account_authorization_details_cfg,
                 exclusions,
                 account_name,
-                output,
+                output_path,
                 write_data_files=True,
                 minimize=minimize,
                 severity=severity,
             )
-            html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+            html_output_file = output_path / f"iam-report-{account_name}.html"
             logger.info("Saving the report to %s", html_output_file)
-            if os.path.exists(html_output_file):
-                os.remove(html_output_file)
+            if html_output_file.exists():
+                html_output_file.unlink()
 
-            Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+            html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
             print(f"Wrote HTML results to: {html_output_file}")
 
             # Open the report by default
             if not skip_open_report:
                 print("Opening the HTML report")
-                url = f"file://{os.path.abspath(html_output_file)}"
+                url = f"file://{html_output_file.absolute()}"
                 webbrowser.open(url, new=2)
 
 
@@ -211,7 +213,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str,
-    output_directory: str,
+    output_directory: str | Path | None,
     write_data_files: bool,
     minimize: bool,
     return_json_results: Literal[True],
@@ -227,7 +229,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = ...,
-    output_directory: str = ...,
+    output_directory: str | Path | None = ...,
     write_data_files: bool = ...,
     minimize: bool = ...,
     return_json_results: Literal[False] = ...,
@@ -242,7 +244,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = "default",
-    output_directory: str = os.getcwd(),
+    output_directory: str | Path | None = None,
     write_data_files: bool = False,
     minimize: bool = False,
     return_json_results: bool = False,
@@ -285,14 +287,13 @@ def scan_account_authorization_details(
 
     # Raw data file
     if write_data_files:
-        if output_directory is None:
-            output_directory = os.getcwd()
+        output_directory = Path(output_directory) if output_directory else Path.cwd()
 
-        results_data_file = os.path.join(output_directory, f"iam-results-{account_name}.json")
+        results_data_file = output_directory / f"iam-results-{account_name}.json"
         results_data_filepath = write_results_data_file(authorization_details.results, results_data_file)
         print(f"Results data saved: {results_data_filepath}")
 
-        findings_data_file = os.path.join(output_directory, f"iam-findings-{account_name}.json")
+        findings_data_file = output_directory / f"iam-findings-{account_name}.json"
         findings_data_filepath = write_results_data_file(results, findings_data_file)
         print(f"Findings data file saved: {findings_data_filepath}")
 
@@ -302,15 +303,15 @@ def scan_account_authorization_details(
             "iam_findings": results,
             "rendered_report": rendered_report,
         }
-    else:
-        return rendered_report
+
+    return rendered_report
 
 
 def get_authorization_files_in_directory(
-    directory: str,
+    directory: Path,
 ) -> list[str]:  # pragma: no cover
     """Get a list of download-account-authorization-files in a directory"""
-    file_list_with_full_path = [file.absolute() for file in Path(directory).glob("*.json")]
+    file_list_with_full_path = [file.absolute() for file in directory.glob("*.json")]
 
     new_file_list = []
     for file in file_list_with_full_path:

{cloudsplaining-0.8.2 → cloudsplaining-0.9.1}/cloudsplaining/command/scan_multi_account.py

@@ -4,7 +4,7 @@ from __future__ import annotations
 
 import json
 import logging
-import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any, cast
 
 import click
@@ -22,7 +22,7 @@ from cloudsplaining.shared.exclusions import DEFAULT_EXCLUSIONS, Exclusions
 from cloudsplaining.shared.validation import check_authorization_details_schema
 
 if TYPE_CHECKING:
-    from mypy_boto3_s3 import S3ServiceResource
+    from types_boto3_s3 import S3ServiceResource
 
 logger = logging.getLogger(__name__)
 OK_GREEN = "\033[92m"
@@ -77,7 +77,7 @@ class MultiAccountConfig:
     help="A yaml file containing a list of policy names to exclude from the scan.",
     type=click.Path(exists=True),
     required=False,
-    default=EXCLUSIONS_FILE,
+    default=str(EXCLUSIONS_FILE),
 )
 @optgroup.group("Output Target Options", help="")
 @optgroup.option(
@@ -145,7 +145,7 @@ def scan_multi_account(
     set_log_level(verbosity)
 
     # Read the config file from the user
-    with open(config_file, encoding="utf-8") as yaml_file:
+    with Path(config_file).open(encoding="utf-8") as yaml_file:
         config = yaml.safe_load(yaml_file)
 
     if flag_all_risky_actions:
@@ -217,24 +217,25 @@ def scan_accounts(
             )
             # Write the HTML file
             output_file = f"{target_account_name}.html"
-            s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=rendered_report)
+            s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=rendered_report)  # ty: ignore[unresolved-attribute]
             utils.print_green(f"Saved the HTML report to: s3://{output_bucket}/{output_file}")
             # Write the JSON data file
             if write_data_file:
                 output_file = f"{target_account_name}.json"
                 body = json.dumps(results, sort_keys=True, default=str, indent=4)
-                s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=body)
+                s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=body)  # ty: ignore[unresolved-attribute]
                 utils.print_green(f"Saved the JSON data to: s3://{output_bucket}/{output_file}")
         if output_directory:
             # Write the HTML file
-            html_output_file = os.path.join(output_directory, f"{target_account_name}.html")
+            output_dir_path = Path(output_directory)
+            html_output_file = output_dir_path / f"{target_account_name}.html"
             utils.write_file(html_output_file, rendered_report)
-            utils.print_green(f"Saved the HTML report to: {os.path.relpath(html_output_file)}")
+            utils.print_green(f"Saved the HTML report to: {html_output_file}")
             # Write the JSON data file
             if write_data_file:
-                results_data_file = os.path.join(output_directory, f"{target_account_name}.json")
+                results_data_file = output_dir_path / f"{target_account_name}.json"
                 results_data_filepath = utils.write_results_data_file(results, results_data_file)
-                utils.print_green(f"Saved the JSON data to: {os.path.relpath(results_data_filepath)}")
+                utils.print_green(f"Saved the JSON data to: {results_data_filepath}")
 
 
 def scan_account(
@@ -262,8 +263,7 @@ def scan_account(
         flag_resource_arn_statements=flag_resource_arn_statements,
         flag_trust_policies=flag_trust_policies,
     )
-    results = authorization_details.results
-    return results
+    return authorization_details.results
 
 
 def download_account_authorization_details(
@@ -286,15 +286,14 @@ def download_account_authorization_details(
         "aws_session_token": aws_session_token,
     }
     include_non_default_policy_versions = False
-    authorization_details = get_account_authorization_details(session_data, include_non_default_policy_versions)
-    return authorization_details
+    return get_account_authorization_details(session_data, include_non_default_policy_versions)
 
 
 def get_exclusions(exclusions_file: str | None = None) -> Exclusions:
     """Get the exclusions configuration from a file"""
     # Get the exclusions configuration
     if exclusions_file:
-        with open(exclusions_file, encoding="utf-8") as yaml_file:
+        with Path(exclusions_file).open(encoding="utf-8") as yaml_file:
             try:
                 exclusions_cfg = yaml.safe_load(yaml_file)
             except yaml.YAMLError as exc: