Skip to content

Instantly share code, notes, and snippets.

@haydenbbickerton
Created October 30, 2018 15:41
Show Gist options
  • Save haydenbbickerton/35eda2bc5b61fd06894a0ab3b7b57703 to your computer and use it in GitHub Desktop.
Save haydenbbickerton/35eda2bc5b61fd06894a0ab3b7b57703 to your computer and use it in GitHub Desktop.
aws risks
# A small module for judging "risk" of a permission based on service and action
#
# The goal here is to categorize common AWS actions in a way that can be easily referenced by
# either the end user, or internal script, or whatever else.
#
# More of this to come later
from boltons import mathutils, strutils
# Default baseline risk scores, should be configured
RISKS_SERVICES = {
'cloudtrail': 3,
'kms': 3,
'lambda': 2,
'rds': 3,
'route53': 4,
'iam': 4
}
# auto generated from the first word of actions
# ie: for "DeleteProject", operation is "Delete" and target is "Project"
RISKS_ACTIONS = {
'MUTATE': {
'risk': 5,
'words': [
'create', 'delete', 'destroy', 'modify', 'add', 'remove', 'set', 'update', 'put', 'reset'
],
},
'READ': {
'risk': 1,
'words': [
'get', 'view', 'list', 'describe'
],
},
'CONDUCT': {
'risk': 5,
'words': [
'start', 'stop', 'suspend', 'run', 'cancel', 'continue', 'resume',
'fail', 'execute', 'enter', 'exit', 'reboot'
]
},
'ORGANIZE': {
'risk': 5,
'words': [
'attach', 'detach', 'release', 'associate', 'disassociate', 'allocate', 'release'
'authorize', 'revoke', 'register', 'deregister', 'activate', 'deactivate', 'enable',
]
},
'INTERACT': {
'risk': 4,
'words': [
'request', 'respond', 'query', 'search', 'send', 'resend', 'publish', 'notify'
]
},
'SIDE_EFFECT': {
'risk': 3,
'words': [
'simulate', 'export', 'record', 'estimate', 'preview', 'validate'
]
}
}
# from remaining words in action
RISKS_ACTIONS.update({
'TARGET_DATA': {
'risk': 1,
'words': [
'object', 'bucket', 'database', 'content', 'table', 'text', 'tags'
]
},
'TARGET_ASPECT': {
'risk': 2,
'words': ['policy', 'attribute', 'permission', 'status', 'grants', 'settings', ]
}
})
def calculate_risk_level(score):
levels = {
'NIL': 0, # need a keyword for "no risk", but don't want to use NONE bc python
'LOW': 2,
'MEDIUM': 5,
'HIGH': 7,
'CRITICAL': 10
}
inv_levels = {v:k for k,v in levels.items()}
score = mathutils.floor(score, levels.values())
risk_level = inv_levels[score]
return risk_level
def calculate_permission_risk(permission):
service, action = strutils.split_punct_ws(permission)
action_words = strutils.camel2under(action).split('_')
tags = []
score = RISKS_SERVICES.get(service.lower(), 0) # start with score of (potentially) risky service (like iam, rds)
for name, info in RISKS_ACTIONS.items():
matched = (set(action_words) & set(info['words']))
if bool(matched):
tags.append(name)
score += info['risk']
return tags, score
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment