How to use the parliament.finding.severity function in parliament
To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
duo-labs / cloudmapper / parliament / statement.py View on Github 
expanded_actions.extend(expand_action(action))
except Exception as e:
self.add_finding(e, severity.INVALID, location={"string": self.stmt})
return False
# Check the resources are correct formatted correctly
has_malformed_resource = False
for resource in resources:
if resource == "*":
continue
parts = resource.split(":")
if len(parts) < 6:
has_malformed_resource = True
self.add_finding(
"Malformed resource, should have 6 parts, arn:partition:service:region:account:id",
severity.MALFORMED,
location={"string": resource},
)
continue
elif parts[0] != "arn":
has_malformed_resource = True
self.add_finding(
'Malformed resource, should start with "arn:"',
severity.MALFORMED,
location={"string": resource},
)
continue
elif parts[1] not in ["aws", "aws-cn", "aws-us-gov", "aws-iso", "*", ""]:
has_malformed_resource = True
self.add_finding(
"Malformed resource, unexpected resource partition",
severity.MALFORMED,self._check_principal(self.stmt["NotPrincipal"])
# Check Effect
if "Effect" not in self.stmt:
self.add_finding(
"Statement does not contain an Effect element",
severity.MALFORMED,
location={"string": self.stmt},
)
return False
effect = self.stmt["Effect"]
if effect not in ["Allow", "Deny"]:
self.add_finding(
"Unknown Effect used. Effect must be either Allow or Deny",
severity.MALFORMED,
location={"string": self.stmt},
)
return False
if effect == "Allow":
self.effect_allow = True
else:
self.effect_allow = False
# Check Action
if "Action" in self.stmt and "NotAction" in self.stmt:
self.add_finding(
"Statement contains both Action and NotAction",
severity.MALFORMED,
location={"string": self.stmt},
)if operator.lower() == "bool":
if key.lower() == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]
):
self.add_finding(
'Bad patttern: The condition {"Bool": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent may not exist so it does not enforce MFA. You likely want to use a Deny with BoolIfExists.',
severity.MEDIUM,
location={"location": condition_block},
)
elif operator.lower() == "null":
if key.lower == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
condition_block[key]
):
self.add_finding(
'Bad patttern: The condition {"Null": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent it does not enforce MFA, and only checks if the value exists. You likely want to use an Allow with {"Bool": {"aws:MultiFactorAuthPresent":"true"}}.',
severity.MEDIUM,
location={"location": condition_block},
)
returnfor key in principal:
if key == "AWS":
for aws_principal in make_list(principal[key]):
account_id_regex = re.compile("^\d{12}$")
arn_regex = re.compile("^arn:[-a-z\*]*:iam::(\d{12}|):.*$")
if aws_principal == "*":
pass
elif account_id_regex.match(aws_principal):
pass
elif arn_regex.match(aws_principal):
pass
else:
self.add_finding(
"Unknown AWS principal: {}".format(aws_principal),
severity.INVALID,
location={"location": aws_principal},
)
elif key == "Federated":
for federation in make_list(principal[key]):
saml_regex = re.compile(
"^arn:[-a-z\*]*:iam::\d{12}:saml-provider/.*$"
)
if federation in [
"cognito-identity.amazonaws.com",
"www.amazon.com",
"graph.facebook.com",
"accounts.google.com",
]:
pass
elif saml_regex.match(federation):
passparliament
parliament audits your AWS IAM policies
Package Health Score
78 / 100Popular parliament functions
- parliament.analyze_policy_string
- parliament.enhance_finding
- parliament.expand_action
- parliament.finding.Finding
- parliament.finding.severity
- parliament.finding.severity.INVALID
- parliament.finding.severity.LOW
- parliament.finding.severity.MALFORMED
- parliament.get_privilege_matches_for_resource_type
- parliament.get_resource_type_matches_from_arn
- parliament.iam_definition
- parliament.is_arn_match
- parliament.misc.make_list
- parliament.override_config
- parliament.policy.Policy
- parliament.statement.expand_action
- parliament.statement.is_valid_account_id
- parliament.statement.is_valid_region
- parliament.UnknownActionException
- parliament.UnknownPrefixException