UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

59 lines 2.82 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import { Policy } from '@cloud-copilot/iam-policy'; import { Permission, PermissionEffect } from './permission.js'; /** * A permission set will be a collection of permissions for a specific effect (Allow or Deny). * So this will be used to represent things like "all the allowed permissions in a set of SCPs" * and "all the deny's that apply to a principal" */ export declare class PermissionSet { readonly effect: PermissionEffect; private permissions; constructor(effect: PermissionEffect); addPermission(newPermission: Permission): void; getPermissions(service: string, action: string): Permission[]; hasService(service: string): boolean; hasAction(service: string, action: string): boolean; getAllPermissions(): Permission[]; /** * Return a new PermissionSet containing the intersection of this set and another. * Only permissions that overlap (same effect, service, action, and intersecting resources/conditions) * will be included. */ intersection(other: PermissionSet): PermissionSet; subtract(deny: PermissionSet): { allow: PermissionSet; deny: PermissionSet; }; /** * Deep clones the PermissionSet. * * @returns a new PermissionSet instance with the same permissions. */ clone(): PermissionSet; } /** * Given an array of IAM Policy objects, extract every "Allow" statement * and load it into a PermissionSet. Each AWS action is split into its * service ("s3", "ec2", etc.) and the individual action name ("GetObject", "StartInstances", etc.). * * Assumptions: * 1. The Policy type comes from `@cloud-copilot/iam-policy`. Each Policy has a `.statements` array. * 2. Each Statement has at least these fields (per AWS IAM JSON): * - Effect: "Allow" | "Deny" * - Action: string | string[] * - Resource?: string | string[] * - NotResource?: string | string[] * - Condition?: Record<string, Record<string, string | string[]>> * * 3. We ignore any statements whose Effect ≠ "Allow". * 4. We do not expand wildcards here—if a statement’s Action is "s3:*", * we leave it as the pattern "s3:*". (If you want to expand all wildcards, * run these policies through iam-expand first, then call this function.) * * Returns a PermissionSet containing one Permission object for each (service, action, resource, notResource, condition) * triple where Effect == "Allow". */ export declare function buildPermissionSetFromPolicies(effect: PermissionEffect, policies: Policy[]): Promise<PermissionSet>; export declare function addPoliciesToPermissionSet(permissionSet: PermissionSet, effect: PermissionEffect, policies: Policy[]): Promise<void>; export declare function toPolicyStatements(set: PermissionSet): any; //# sourceMappingURL=permissionSet.d.ts.map