cloudsplaining 0.9.0__tar.gz → 0.9.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/PKG-INFO +8 -9
  2. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/README.md +7 -8
  3. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/bin/cli.py +11 -4
  4. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/dist/index.html +2 -2
  5. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/dist/js/index.js +2 -2
  6. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/2-triage-guidance.md +4 -4
  7. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/principals-test.js +12 -2
  8. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/principals.js +16 -6
  9. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/exclusions.py +27 -3
  10. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/pyproject.toml +1 -1
  11. cloudsplaining-0.9.1/test/conftest.py +18 -0
  12. cloudsplaining-0.9.1/test/shared/test_exclusion_output.py +78 -0
  13. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/LICENSE +0 -0
  14. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/__init__.py +0 -0
  15. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/bin/__init__.py +0 -0
  16. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/bin/version.py +0 -0
  17. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/__init__.py +0 -0
  18. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/create_exclusions_file.py +0 -0
  19. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/create_multi_account_config_file.py +0 -0
  20. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/download.py +0 -0
  21. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/expand_policy.py +0 -0
  22. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/scan.py +0 -0
  23. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/scan_multi_account.py +0 -0
  24. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/command/scan_policy_file.py +0 -0
  25. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/__init__.py +0 -0
  26. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/dist/fonts/bootstrap-icons.woff +0 -0
  27. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/dist/fonts/bootstrap-icons.woff2 +0 -0
  28. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/dist/js/chunk-vendors.js +0 -0
  29. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/policy_finding.py +0 -0
  30. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/public/index.html +0 -0
  31. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/report.py +0 -0
  32. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/App.vue +0 -0
  33. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/1-overview.md +0 -0
  34. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/3-remediation-guidance.md +0 -0
  35. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/4-validation.md +0 -0
  36. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-assumable-by-compute-service.md +0 -0
  37. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-credentials-exposure.md +0 -0
  38. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-data-exfiltration.md +0 -0
  39. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-infrastructure-modification.md +0 -0
  40. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-privilege-escalation.md +0 -0
  41. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-resource-exposure.md +0 -0
  42. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/definition-service-wildcard.md +0 -0
  43. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/glossary.md +0 -0
  44. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/how-do-i-validate-results.md +0 -0
  45. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/identifying-false-positives.md +0 -0
  46. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/logo.png +0 -0
  47. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/summary.md +0 -0
  48. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/assets/what-should-i-do.md +0 -0
  49. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Appendix.vue +0 -0
  50. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Button.vue +0 -0
  51. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Glossary.vue +0 -0
  52. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Guidance.vue +0 -0
  53. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/InlinePolicies.vue +0 -0
  54. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/LinkToFinding.vue +0 -0
  55. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/ManagedPolicies.vue +0 -0
  56. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/PolicyTable.vue +0 -0
  57. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Principals.vue +0 -0
  58. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/ReportMetadata.vue +0 -0
  59. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/Summary.vue +0 -0
  60. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/TaskTable.vue +0 -0
  61. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/charts/SummaryFindings.vue +0 -0
  62. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/AssumeRoleDetails.vue +0 -0
  63. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/FindingCard.vue +0 -0
  64. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/FindingDetails.vue +0 -0
  65. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/PolicyDocumentDetails.vue +0 -0
  66. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/PrivilegeEscalationDetails.vue +0 -0
  67. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/PrivilegeEscalationFormat.vue +0 -0
  68. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/RiskAlertIndicators.vue +0 -0
  69. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/finding/StandardRiskDetails.vue +0 -0
  70. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/principals/PrincipalMetadata.vue +0 -0
  71. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/components/principals/RisksPerPrincipal.vue +0 -0
  72. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/main.js +0 -0
  73. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/routes/routes.js +0 -0
  74. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/sampleData.js +0 -0
  75. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/groups-test.js +0 -0
  76. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/inline-policies-test.js +0 -0
  77. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/managed-policies-test.js +0 -0
  78. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/other-test.js +0 -0
  79. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/pathfinding-test.js +0 -0
  80. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/roles-test.js +0 -0
  81. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/test/task-table-test.js +0 -0
  82. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/glossary.js +0 -0
  83. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/groups.js +0 -0
  84. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/inline-policies.js +0 -0
  85. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/managed-policies.js +0 -0
  86. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/other.js +0 -0
  87. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/pathfinding-paths.json +0 -0
  88. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/pathfinding.js +0 -0
  89. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/roles.js +0 -0
  90. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/util/task-table.js +0 -0
  91. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/Appendices.vue +0 -0
  92. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/AwsPolicies.vue +0 -0
  93. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/CustomerPolicies.vue +0 -0
  94. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/Guidance.vue +0 -0
  95. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/IamPrincipals.vue +0 -0
  96. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/InlinePolicies.vue +0 -0
  97. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/src/views/Summary.vue +0 -0
  98. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/output/template.html +0 -0
  99. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/py.typed +0 -0
  100. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/__init__.py +0 -0
  101. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/assume_role_policy_document.py +0 -0
  102. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/authorization_details.py +0 -0
  103. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/group_details.py +0 -0
  104. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/inline_policy.py +0 -0
  105. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/managed_policy_detail.py +0 -0
  106. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/policy_document.py +0 -0
  107. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/resource_policy_document.py +0 -0
  108. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/role_details.py +0 -0
  109. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/statement_detail.py +0 -0
  110. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/scan/user_details.py +0 -0
  111. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/__init__.py +0 -0
  112. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/aws_login.py +0 -0
  113. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/constants.py +0 -0
  114. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/default-exclusions.yml +0 -0
  115. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/exceptions.py +0 -0
  116. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/multi-account-config.yml +0 -0
  117. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/template_config.py +0 -0
  118. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/utils.py +0 -0
  119. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/shared/validation.py +0 -0
  120. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_create_multi_account_config_file.py +0 -0
  121. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_expand.py +0 -0
  122. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_expand_policy.py +0 -0
  123. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_scan.py +0 -0
  124. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_scan_multi_account.py +0 -0
  125. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/command/test_scan_policy_file.py +0 -0
  126. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/example-authz-details.json +0 -0
  127. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/example_authz_details_for_overrides.json +0 -0
  128. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/example_authz_details_for_overrides_complete.json +0 -0
  129. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/example_authz_v2.json +0 -0
  130. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/managed_policy_mismatch.json +0 -0
  131. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/policy-overrides.json +0 -0
  132. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/scanning/test_authorization_file_details_missing_constraints_v2.json +0 -0
  133. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/scanning/test_group_detail_results.json +0 -0
  134. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/scanning/test_inline_policy_results.json +0 -0
  135. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/scanning/test_role_detail_results.json +0 -0
  136. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/scanning/test_user_detail_results.json +0 -0
  137. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/test-exclusions.yml +0 -0
  138. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/files/test_policy_file.json +0 -0
  139. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/output/test_policy_finding.py +0 -0
  140. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_action_links.py +0 -0
  141. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_authorization_details.py +0 -0
  142. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_exclusions_on_attached_policies.py +0 -0
  143. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_group_detail_list.py +0 -0
  144. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_inline_policy.py +0 -0
  145. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_managed_policy_detail.py +0 -0
  146. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_policy_document.py +0 -0
  147. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_privilege_escalation_methods.py +0 -0
  148. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_resource_policy_document.py +0 -0
  149. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_role_detail_list.py +0 -0
  150. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_statement_detail.py +0 -0
  151. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_trust_policies.py +0 -0
  152. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/scanning/test_user_detail_list.py +0 -0
  153. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_aws_login.py +0 -0
  154. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_exclusions.py +0 -0
  155. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_pathfinding_mapping.py +0 -0
  156. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_template_config.py +0 -0
  157. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_utils.py +0 -0
  158. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/shared/test_validation.py +0 -0
  159. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/skills/test_iterate_pr_scripts.py +0 -0
  160. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/test_sample_data_in_sync.py +0 -0
  161. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/utils/test_build_example_dataset.py +0 -0
  162. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/utils/test_compare_example_reports.py +0 -0
  163. {cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/test/utils/test_safety_scan.py +0 -0
{cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: cloudsplaining
3
- Version: 0.9.0
3
+ Version: 0.9.1
4
4
  Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report
5
5
  Keywords: aws,iam,roles,policy,policies,privileges,security
6
6
  Author: Kinnaird McQuade
@@ -33,8 +33,6 @@ Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
33
33
  Project-URL: Twitter, https://twitter.com/kmcquade3
34
34
  Description-Content-Type: text/markdown
35
35
 
36
- ## NOTE: This repo/project has been restored by Salesforce.
37
-
38
36
  Cloudsplaining
39
37
  --------------
40
38
 
@@ -62,13 +60,14 @@ For full documentation, please visit the [project on ReadTheDocs](https://clouds
62
60
 
63
61
  ## Overview
64
62
 
65
- Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
63
+ Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
66
64
 
67
65
  It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction:
68
- * Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
69
- * Infrastructure Modification
70
- * Resource Exposure (the ability to modify resource-based policies)
71
- * Privilege Escalation (based on Rhino Security Labs research)
66
+ * [Data Exfiltration](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
67
+ * [Infrastructure Modification](https://cloudsplaining.readthedocs.io/en/latest/glossary/infrastructure-modification/)
68
+ * [Resource Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/) (the ability to modify resource-based policies)
69
+ * [Privilege Escalation](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/) (based on Pathfinding.cloud)
70
+ * [Credentials Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)
72
71
 
73
72
  Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples.
74
73
 
@@ -115,7 +114,7 @@ Policy Sentry [makes it really easy to do this](https://github.com/salesforce/po
115
114
 
116
115
  That's why we wrote Cloudsplaining.
117
116
 
118
- Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
117
+ Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
119
118
 
120
119
  ## Installation
121
120
 
{cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/README.md RENAMED
@@ -1,5 +1,3 @@
1
- ## NOTE: This repo/project has been restored by Salesforce.
2
-
3
1
  Cloudsplaining
4
2
  --------------
5
3
 
@@ -27,13 +25,14 @@ For full documentation, please visit the [project on ReadTheDocs](https://clouds
27
25
 
28
26
  ## Overview
29
27
 
30
- Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
28
+ Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
31
29
 
32
30
  It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction:
33
- * Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
34
- * Infrastructure Modification
35
- * Resource Exposure (the ability to modify resource-based policies)
36
- * Privilege Escalation (based on Rhino Security Labs research)
31
+ * [Data Exfiltration](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`)
32
+ * [Infrastructure Modification](https://cloudsplaining.readthedocs.io/en/latest/glossary/infrastructure-modification/)
33
+ * [Resource Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/) (the ability to modify resource-based policies)
34
+ * [Privilege Escalation](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/) (based on Pathfinding.cloud)
35
+ * [Credentials Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)
37
36
 
38
37
  Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples.
39
38
 
@@ -80,7 +79,7 @@ Policy Sentry [makes it really easy to do this](https://github.com/salesforce/po
80
79
 
81
80
  That's why we wrote Cloudsplaining.
82
81
 
83
- Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file.
82
+ Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file.
84
83
 
85
84
  ## Installation
86
85
 
{cloudsplaining-0.9.0 → cloudsplaining-0.9.1}/cloudsplaining/bin/cli.py RENAMED
@@ -5,21 +5,28 @@
5
5
  # For full license text, see the LICENSE file in the repo root
6
6
  # or https://opensource.org/licenses/BSD-3-Clause
7
7
  """
8
- Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
8
+ Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
9
9
  """
10
10
 
11
11
  import click
12
12
 
13
13
  from cloudsplaining import command
14
14
  from cloudsplaining.bin.version import __version__
15
+ from cloudsplaining.shared.exclusions import set_exclusion_output
15
16
 
16
17
 
17
18
  @click.group()
18
19
  @click.version_option(version=__version__)
19
- def cloudsplaining() -> None:
20
+ @click.pass_context
21
+ def cloudsplaining(ctx: click.Context) -> None:
20
22
  """
21
- Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
23
+ Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
22
24
  """
25
+ # Surface exclusion-match messages on stdout for the CLI (historical behavior), then
26
+ # restore the prior value when the Click context tears down so an in-process CLI run
27
+ # does not leak printing state into later library use.
28
+ previous = set_exclusion_output(True)
29
+ ctx.call_on_close(lambda: set_exclusion_output(previous))
23
30
 
24
31
 
25
32
  cloudsplaining.add_command(command.create_exclusions_file.create_exclusions_file)
@@ -32,7 +39,7 @@ cloudsplaining.add_command(command.download.download)
32
39
 
33
40
 
34
41
  def main() -> None:
35
- """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet."""
42
+ """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report."""
36
43
  cloudsplaining()
37
44
 
38
45