parliament

AWS changed their doc format which broke the web scraper, so @kmcquade fixed it via #108. Then I ran it to collect the latest privilege info.

• Updates the IAM data. Thanks @kmcquade for figuring out the new AWS doc format!
• Adds tests for that IAM data to try to avoid a doc change causing us to use bad data
• Wraps the community auditor running in a try/except to avoid exceptions in that code crashing parliament. Resolves #97
• Adds new finding type MISMATCHED_TYPE_BUT_USABLE with severity Low that is similar to the MISMATCHED_TYPE finding, but specific to when you use a string comparison against ARNs, since that will work, but is not ideal. Resolves #29
• Add new finding type RESOURCE_STAR, which I expect is going to be very noisy for a lot of people, as it will be generated whenever someone uses a Resource of * when the action supports better defined resources. Resolves #72

Uses Github Actions to deploy Pypi library

• Removes the requirement to bring in policy_sentry for the community auditors that was make this library much heavier than it needed to be (see #86)
• Adds the community override file, which was a bug found and fixed by @xen0l in #91
• Adds verbose flag by @xen0l in #87
• Adds directory command-line option and some filtering options, again by @xen0l in #87
• Updates the iam definition

Support for aws:CalledVia, aws:CalledViaFirst, and aws:CalledViaLast

The big feature of this release it adds community auditors from @kmcquade . These currently are:

• Credentials exposure - Policy grants access to API calls that can return credentials to the user
• Permissions management actions - Allows the principal to modify IAM, RAM, identity-based policies, or resource based policies.
• Privilege escalation - Actions contain a combination of Privilege Escalation actions established by Rhino Security Labs

These are off by default for now, but can be enabled with --include-community-auditors

This fixes a bug when checking the results of get-account-authorization-details (thanks to @kmcquade again!)

This also adds a function get_allowed_actions which returns a list like ['s3:putobject'] for every action allowed. This likely will hurt performance when a * policy is involved. This function is currently used by the community auditors and is one of the reasons I don't have those on by default yet.

Updates the is_glob_function to account for some special cases. Code from Paul McGuire again in https://github.com/duo-labs/parliament/issues/36#issuecomment-574463958

• Adds is_glob_match function from Paul McGuire from his comment here https://github.com/duo-labs/parliament/issues/36#issuecomment-574001764 This massively cleans up the mess that is_arn_match had become.
• Fixes a unit test that was including a check for a private auditor, and avoids testing against private auditors for the other tests.
• Updates the privilege data.
• Fixes the script that collects the privilege data so it can actually be run.

Minor fix (#49) to improve identification of privileges being granted.

The big change this release was improving the logic for identifying which actions were allowed. Previously, if you had the following, it would not identify s3:GetObject as being allowed, because it saw an Allow and a Deny and did not take into consideration the Condition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::secretbucket/*"
    },
    {
        "Effect": "Deny",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::secretbucket/*",
        "Condition": {
            "BoolIfExists": {
                "aws:MultiFactorAuthPresent": "false"
            }
        }
    }
  ]
}

Now the logic identifies s3:GetObject as being allowed, because it only counts a Deny against the Allow if the Deny has no Condition. This should better handle possible tricks someone might do to get around a custom auditor someone might write (for example, the sensitive bucket auditor in the docs would have been tricked by this previously).

The unit tests should also be more robust, and a bug was fixed with how Bool's are checked to ensure they are being matched against true and false values.

You can now specify a directory for your private auditors, and instructions are provided on how to include your own unit tests for these. https://github.com/duo-labs/parliament#unit-tests-for-private-auditors

Some minor fixes to the existing tests to ensure they don't break when you have your own private auditors.

This release adds the ability to have custom auditors. This is documented in the README, showing an example of how to create an auditor to generate findings for any policy that grants access to a sensitive S3 bucket: https://github.com/duo-labs/parliament#custom-auditors

This also changed how the filtering works for ignoring findings, which gives some greater control over that, by changing what had been a search for a substring into a full regex match. The regex match does mean that a search for a substring like s3:* now must be written as .*s3:\\*.* (note that .* are added to the ends so this function as a substring lookup, and the original * needs to be double-escaped as \\*).

Updates privileges. AWS changed their doc format, so a new method was needed to scrape these, which was borrowed from work done by @kmcquade on policy_sentry

Other changes:
@danielpops Fixed a typo

Exit status now only uses a 1 to indicate findings (0 if there are no findings). The last release set the exit status to the number of findings, but that might not work in shell environments if there are over 255 findings. This was pointed out by Ben Bridts‏: https://twitter.com/benbridts/status/1205465492984647680

Parliament now supports a custom config file so you can change the text or severity of issues, or filter them out entirely. For usage examples see the docs at https://github.com/duo-labs/parliament#custom-config-file

Bug fixes

• Allow aws:MultiFactorAuthAge tested against a number
• Allow Null condition to be used without findings about the items that are being checked
• Allow policies to have unquoted Bool values (true and false can be used without quotes)

Fixes an exception for unknown prefixes and actions introduced in 0.3.2

• Resource mismatches are now aggregated into a single finding, so when you grant s3:* on a bucket, it produces a single finding, instead of one for each s3 action. The detail element will include each of these actions and the required resource, which will make that element very long, especially if you were to grant all actions via *
• Unknown action and unknown prefix findings are not their own finding types as opposed to causing exceptions.
• The filepath is now given when checking a single file
• Filtering by severity will now correctly exit with a exit code of 0 if there are findings but they are all filtered
• No Version element is now allowed and marked as a Low finding.

• Returns non-zero exit codes when issues are found
• Allows for json output
• Finding types are now stored in a config file (eventually this config file will be exposed so you can mute findings as needed) https://github.com/duo-labs/parliament/blob/master/parliament/config.yaml
• The parliament command allows you to specify the minimum severity to be displayed
• There is a local ./bin/parliament script for testing while developing

Some example:

$ bin/parliament --file test.json
...
MEDIUM - No resources match for the given action - No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job* - {'filepath': None}
$ bin/parliament --file test.json --json
...
{"issue": "RESOURCE_MISMATCH", "title": "No resources match for the given action", "severity": "MEDIUM", "description": "", "detail": "No resources match for s3:UpdateJobStatus which requires a resource format of arn:*:s3:*:*:job/* for the resource job*", "location": {"filepath": null}}

• Updates iam privileges.
• Makes unit tests use python 3