UNPKG

@cloud-copilot/iam-simulate

Version:

Simulate evaluation of AWS IAM policies

github.com/cloud-copilot/iam-simulate

cloud-copilot/iam-simulate

124 lines 5.24 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import { Policy } from '@cloud-copilot/iam-policy'; import { IdentityAnalysis, RcpAnalysis, RequestAnalysis, ResourceAnalysis, ScpAnalysis } from '../evaluate.js'; import { AwsRequest } from '../request/request.js'; import { ServiceAuthorizer } from '../services/ServiceAuthorizer.js'; export declare const validSimulationModes: readonly ["Strict", "Discovery"]; export type PolicyWithName = Policy<{ name: string; }>; /** * The mode of simulation for the core engine. * - Strict: Simulates the request as if it were being made in a real AWS environment. * - Discovery: Simulates the request but discovers under what conditions it would be allowed. */ export type SimulationMode = (typeof validSimulationModes)[number]; /** * Meta parameters for the simulation engine. */ export interface SimulationParameters { /** * The simulation mode to use for the request. */ simulationMode: SimulationMode; /** * Condition keys that should be evaluated strictly in the simulation. Used only in Discovery mode. * In Strict mode, all condition keys are evaluated strictly */ strictConditionKeys: Set<string>; } /** * A set of service or resource control policies for each level of an organization tree */ export interface ControlPolicies { /** * The organization identifier for the organizational unit these policies apply to. */ orgIdentifier: string; /** * The policies that apply to this organizational unit. */ policies: PolicyWithName[]; } /** * A request to authorize a service action. */ export interface AuthorizationRequest { /** * The request to authorize. */ request: AwsRequest; /** * The identity policies that are applicable to the principal making the request. */ identityPolicies: PolicyWithName[]; /** * The service control policies that apply to the principal making the request. In * order of the organization hierarchy. So the root ou SCPs should be first. */ serviceControlPolicies: ControlPolicies[]; /** * The resource control policies that apply to the resource being accessed. In * order of the organization hierarchy. So the root ou RCPs should be first. */ resourceControlPolicies: ControlPolicies[]; /** * The resource policy that applies to the resource being accessed. */ resourcePolicy: PolicyWithName | undefined; /** * The permission boundaries that apply to the principal making the request. */ permissionBoundaries: PolicyWithName[] | undefined; /** * The VPC endpoint policies that apply to the request, if any. */ vpcEndpointPolicies: PolicyWithName[] | undefined; /** * The simulation parameters for the request. */ simulationParameters: SimulationParameters; } /** * Authorizes a request. * * This assumes all policies have been validated and the request is fully complete and valid. * * @param request the request to authorize * @returns the result of the authorization */ export declare function authorize(request: AuthorizationRequest): RequestAnalysis; /** * Get the appropriate service authorizer for the request. Some services have specific authorization logic in * them. If there is no service specific authorizer, a default one will be used. * * @param request the request to get the authorizer for * @returns the service authorizer for the request */ export declare function getServiceAuthorizer(request: AuthorizationRequest): ServiceAuthorizer; /** * Analyzes a set of identity policies * * @param identityPolicies the identity policies to analyze * @param request the request to analyze against * @returns an array of statement analysis results */ export declare function analyzeIdentityPolicies(identityPolicies: PolicyWithName[], request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis; /** * Analyzes a set of service or resource control policies and the statements within them. * * @param controlPolicies the control policies to analyze * @param request the request to analyze against * @returns an array of SCP or RCP analysis results */ export declare function analyzeControlPolicies(controlPolicies: ControlPolicies[], request: AwsRequest, simulationParameters: SimulationParameters): ScpAnalysis | RcpAnalysis; /** * Analyze a resource policy and return the results * * @param resourcePolicy the resource policy to analyze * @param request the request to analyze against * @returns an array of statement analysis results */ export declare function analyzeResourcePolicy(resourcePolicy: PolicyWithName | undefined, request: AwsRequest, principalHasPermissionBoundary: boolean, simulationParameters: SimulationParameters): ResourceAnalysis; export declare function analyzePermissionBoundaryPolicies(permissionBoundaries: PolicyWithName[] | undefined, request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis | undefined; export declare function analyzeVpcEndpointPolicies(vpcEndPointPolicies: PolicyWithName[] | undefined, request: AwsRequest, simulationParameters: SimulationParameters): IdentityAnalysis | undefined; //# sourceMappingURL=CoreSimulatorEngine.d.ts.map