UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

95 lines 4.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.isAllowedByIdentityPolicies = isAllowedByIdentityPolicies; exports.getDenialReasons = getDenialReasons; /** * Analyze a RequestAnalysis to see if the request was allowed by identity policies. * * @param requestAnalysis the request analysis * @returns true if the request was allowed by identity policies, false otherwise */ function isAllowedByIdentityPolicies(requestAnalysis) { const identityAnalysis = requestAnalysis.identityAnalysis; if (!identityAnalysis) { return false; } return identityAnalysis.result === 'Allowed'; } /** * Find the policy statements that caused a request to be denied. * Analyzes the RequestAnalysis and returns the specific reasons why the request was denied. * * For an implicit denial, it returns: * - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy) * - the identifier, if applicable for an Organizational Unit identifier for SCPs. * * For an explicit denial, it returns: * - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy) * - the policy identifier, if applicable for a managed policy or an SCP * - the statement ID (or index) of the denying statement. * * @param requestAnalysis the request analysis * @returns a list of RequestDenial objects describing the reasons for denial */ function getDenialReasons(requestAnalysis) { const denials = []; const overallResult = requestAnalysis.result; addSimplePolicyDenials(requestAnalysis.identityAnalysis, 'identity', overallResult, denials); addSimplePolicyDenials(requestAnalysis.resourceAnalysis, 'resource', overallResult, denials); addOuPolicyDenials(requestAnalysis.scpAnalysis, 'scp', overallResult, denials); addOuPolicyDenials(requestAnalysis.rcpAnalysis, 'rcp', overallResult, denials); addSimplePolicyDenials(requestAnalysis.permissionBoundaryAnalysis, 'permissionBoundary', overallResult, denials); addSimplePolicyDenials(requestAnalysis.endpointAnalysis, 'endpointPolicy', overallResult, denials); return denials; } /** * Helper for identity-style policies (identity, resource, permissionBoundary, endpoint). * Adds denial reasons from a simple policy analysis. */ function addSimplePolicyDenials(analysis, policyType, overallResult, denials) { if (!analysis) return; if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') { denials.push({ policyType, denialType: 'Implicit' }); } else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') { for (const stmt of analysis.denyStatements) { denials.push({ policyType, policyIdentifier: stmt.policyId, statementId: stmt.statement.sid() || stmt.statement.index().toString(), denialType: 'Explicit' }); } } } /** * Helper for OU-based policies (scp, rcp). * Adds denial reasons from an organizational policy analysis. */ function addOuPolicyDenials(analysis, policyType, overallResult, denials) { if (!analysis) return; if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') { for (const ou of analysis.ouAnalysis) { if (ou.result === 'ImplicitlyDenied') { denials.push({ policyType, identifier: ou.orgIdentifier, denialType: 'Implicit' }); } } } else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') { for (const ou of analysis.ouAnalysis) { if (ou.result === 'ExplicitlyDenied') { for (const stmt of ou.denyStatements) { denials.push({ policyType, policyIdentifier: stmt.policyId, statementId: stmt.statement.sid() || stmt.statement.index().toString(), denialType: 'Explicit' }); } } } } } //# sourceMappingURL=analyzeResults.js.map