Bot releases are hidden (Show)
Published by 0xdabbad00 over 4 years ago
AWS changed their doc format which broke the web scraper, so @kmcquade fixed it via #108. Then I ran it to collect the latest privilege info.
Published by 0xdabbad00 over 4 years ago
MISMATCHED_TYPE_BUT_USABLE
with severity Low that is similar to the MISMATCHED_TYPE
finding, but specific to when you use a string comparison against ARNs, since that will work, but is not ideal. Resolves #29RESOURCE_STAR
, which I expect is going to be very noisy for a lot of people, as it will be generated whenever someone uses a Resource of *
when the action supports better defined resources. Resolves #72Published by 0xdabbad00 over 4 years ago
Uses Github Actions to deploy Pypi library
Published by 0xdabbad00 over 4 years ago
Published by 0xdabbad00 over 4 years ago
Support for aws:CalledVia
, aws:CalledViaFirst
, and aws:CalledViaLast
Published by 0xdabbad00 over 4 years ago
The big feature of this release it adds community auditors from @kmcquade . These currently are:
These are off by default for now, but can be enabled with --include-community-auditors
This fixes a bug when checking the results of get-account-authorization-details
(thanks to @kmcquade again!)
This also adds a function get_allowed_actions
which returns a list like ['s3:putobject']
for every action allowed. This likely will hurt performance when a *
policy is involved. This function is currently used by the community auditors and is one of the reasons I don't have those on by default yet.
Published by 0xdabbad00 almost 5 years ago
Updates the is_glob_function to account for some special cases. Code from Paul McGuire again in https://github.com/duo-labs/parliament/issues/36#issuecomment-574463958
Published by 0xdabbad00 almost 5 years ago
is_glob_match
function from Paul McGuire from his comment here https://github.com/duo-labs/parliament/issues/36#issuecomment-574001764 This massively cleans up the mess that is_arn_match
had become.Published by 0xdabbad00 almost 5 years ago
Minor fix (#49) to improve identification of privileges being granted.
Published by 0xdabbad00 almost 5 years ago
The big change this release was improving the logic for identifying which actions were allowed. Previously, if you had the following, it would not identify s3:GetObject
as being allowed, because it saw an Allow
and a Deny
and did not take into consideration the Condition
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*"
},
{
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Now the logic identifies s3:GetObject
as being allowed, because it only counts a Deny
against the Allow
if the Deny
has no Condition
. This should better handle possible tricks someone might do to get around a custom auditor someone might write (for example, the sensitive bucket auditor in the docs would have been tricked by this previously).
The unit tests should also be more robust, and a bug was fixed with how Bool's are checked to ensure they are being matched against true and false values.
Published by 0xdabbad00 almost 5 years ago
You can now specify a directory for your private auditors, and instructions are provided on how to include your own unit tests for these. https://github.com/duo-labs/parliament#unit-tests-for-private-auditors
Some minor fixes to the existing tests to ensure they don't break when you have your own private auditors.
Published by 0xdabbad00 almost 5 years ago
This release adds the ability to have custom auditors. This is documented in the README, showing an example of how to create an auditor to generate findings for any policy that grants access to a sensitive S3 bucket: https://github.com/duo-labs/parliament#custom-auditors
This also changed how the filtering works for ignoring findings, which gives some greater control over that, by changing what had been a search for a substring into a full regex match. The regex match does mean that a search for a substring like s3:*
now must be written as .*s3:\\*.*
(note that .*
are added to the ends so this function as a substring lookup, and the original *
needs to be double-escaped as \\*
).
Published by 0xdabbad00 almost 5 years ago
Updates privileges. AWS changed their doc format, so a new method was needed to scrape these, which was borrowed from work done by @kmcquade on policy_sentry
Other changes:
@danielpops Fixed a typo
Published by 0xdabbad00 almost 5 years ago
Exit status now only uses a 1 to indicate findings (0 if there are no findings). The last release set the exit status to the number of findings, but that might not work in shell environments if there are over 255 findings. This was pointed out by Ben Bridts: https://twitter.com/benbridts/status/1205465492984647680
Published by 0xdabbad00 almost 5 years ago
Parliament now supports a custom config file so you can change the text or severity of issues, or filter them out entirely. For usage examples see the docs at https://github.com/duo-labs/parliament#custom-config-file
Published by 0xdabbad00 almost 5 years ago
Bug fixes
Published by 0xdabbad00 almost 5 years ago
Fixes an exception for unknown prefixes and actions introduced in 0.3.2
Published by 0xdabbad00 almost 5 years ago
detail
element will include each of these actions and the required resource, which will make that element very long, especially if you were to grant all actions via *
Published by 0xdabbad00 almost 5 years ago
./bin/parliament
script for testing while developingSome example:
$ bin/parliament --file test.json
...
MEDIUM - No resources match for the given action - No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job* - {'filepath': None}
$ bin/parliament --file test.json --json
...
{"issue": "RESOURCE_MISMATCH", "title": "No resources match for the given action", "severity": "MEDIUM", "description": "", "detail": "No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job*", "location": {"filepath": null}}
Published by 0xdabbad00 almost 5 years ago