UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

129 lines 5.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import { type Policy, type Statement } from '@cloud-copilot/iam-policy'; import { Permission, type PermissionEffect } from './permission.js'; /** * A permission set will be a collection of permissions for a specific effect (Allow or Deny). * So this will be used to represent things like "all the allowed permissions in a set of SCPs" * and "all the deny's that apply to a principal" */ export declare class PermissionSet { readonly effect: PermissionEffect; private permissions; constructor(effect: PermissionEffect); /** * Add a new permission to the set. If the new permission overlaps with an existing one, * they will be unioned together to avoid redundancy. * * @param newPermission the permission to add */ addPermission(newPermission: Permission): void; /** * Get the permissions for a specific service and action. * * @param service the service to get permissions for * @param action the action to get permissions for * @returns the permissions that match the service and action */ getPermissions(service: string, action: string): Permission[]; /** * Check if the permission set has any permissions for a specific service * * @param service the service to check permissions for * @returns true if the permission set has permissions for the service, false otherwise */ hasService(service: string): boolean; /** * Check if the permission set has any permissions for a specific action * * @param service the service the action belongs to * @param action the action to check permissions for * @returns true if the permission set has permissions for the action, false otherwise */ hasAction(service: string, action: string): boolean; /** * Check if the permission set is empty (has no permissions) * @returns true if the permission set is empty, false otherwise */ isEmpty(): boolean; /** * Get all the permissions in the permission set * * @returns a copy of all the permissions in the permission set */ getAllPermissions(): Permission[]; /** * Return a new PermissionSet containing the intersection of this set and another. * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions) * will be included. * * @param other The other PermissionSet to intersect with. * @returns A new PermissionSet containing the intersecting permissions. * @throws Error if the effects of the two PermissionSets do not match. */ intersection(other: PermissionSet): PermissionSet; /** * Subtract a Deny PermissionSet from this Allow PermissionSet. * * Returns two PermissionSets: one with the remaining Allow permissions, * and one with any Deny permissions that were created as a result of the subtraction. * * @param deny the Deny PermissionSet to subtract * @returns an object containing the resulting Allow and Deny PermissionSets */ subtract(deny: PermissionSet): { allow: PermissionSet; deny: PermissionSet; }; /** * Add all permissions from another PermissionSet to this one. * * @param others the other PermissionSet (or array of PermissionSets) to add permissions from * @throws Error if the effects of the two PermissionSets do not match */ addAll(others: PermissionSet[] | PermissionSet): void; /** * Deep clones the PermissionSet. * * @returns a new PermissionSet instance with the same permissions. */ clone(): PermissionSet; } /** * Given an array of IAM Policy objects, extract every "Allow" statement * and load it into a PermissionSet. Each AWS action is split into its * service ("s3", "ec2", etc.) and the individual action name ("GetObject", "StartInstances", etc.). * * Assumptions: * 1. The Policy type comes from `@cloud-copilot/iam-policy`. Each Policy has a `.statements` array. * 2. Each Statement has at least these fields (per AWS IAM JSON): * - Effect: "Allow" | "Deny" * - Action: string | string[] * - Resource?: string | string[] * - NotResource?: string | string[] * - Condition?: Record<string, Record<string, string | string[]>> * * 3. We ignore any statements whose Effect ≠ "Allow". * 4. We do not expand wildcards here—if a statement’s Action is "s3:*", * we leave it as the pattern "s3:*". (If you want to expand all wildcards, * run these policies through iam-expand first, then call this function.) * * Returns a PermissionSet containing one Permission object for each (service, action, resource, notResource, condition) * triple where Effect == "Allow". */ export declare function buildPermissionSetFromPolicies(effect: PermissionEffect, policies: Policy[]): Promise<PermissionSet>; export declare function addPoliciesToPermissionSet(permissionSet: PermissionSet, effect: PermissionEffect, policies: Policy[]): Promise<void>; /** * Add a single Statement to a PermissionSet, expanding it into one or more Permissions as needed. * * @param statement the IAM policy statement to add * @param permissionSet the PermissionSet to add the statement to * @returns nothing; the PermissionSet is modified in place */ export declare function addStatementToPermissionSet(statement: Statement, permissionSet: PermissionSet): Promise<void>; /** * Convert a PermissionSet into an array of IAM policy statements. * * @param set the PermissionSet to convert * @returns an array of IAM policy statements */ export declare function toPolicyStatements(set: PermissionSet): any; //# sourceMappingURL=permissionSet.d.ts.map