Created
October 30, 2018 15:41
-
-
Save haydenbbickerton/35eda2bc5b61fd06894a0ab3b7b57703 to your computer and use it in GitHub Desktop.
aws risks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A small module for judging "risk" of a permission based on service and action | |
| # | |
| # The goal here is to categorize common AWS actions in a way that can be easily referenced by | |
| # either the end user, or internal script, or whatever else. | |
| # | |
| # More of this to come later | |
| from boltons import mathutils, strutils | |
| # Default baseline risk scores, should be configured | |
| RISKS_SERVICES = { | |
| 'cloudtrail': 3, | |
| 'kms': 3, | |
| 'lambda': 2, | |
| 'rds': 3, | |
| 'route53': 4, | |
| 'iam': 4 | |
| } | |
| # auto generated from the first word of actions | |
| # ie: for "DeleteProject", operation is "Delete" and target is "Project" | |
| RISKS_ACTIONS = { | |
| 'MUTATE': { | |
| 'risk': 5, | |
| 'words': [ | |
| 'create', 'delete', 'destroy', 'modify', 'add', 'remove', 'set', 'update', 'put', 'reset' | |
| ], | |
| }, | |
| 'READ': { | |
| 'risk': 1, | |
| 'words': [ | |
| 'get', 'view', 'list', 'describe' | |
| ], | |
| }, | |
| 'CONDUCT': { | |
| 'risk': 5, | |
| 'words': [ | |
| 'start', 'stop', 'suspend', 'run', 'cancel', 'continue', 'resume', | |
| 'fail', 'execute', 'enter', 'exit', 'reboot' | |
| ] | |
| }, | |
| 'ORGANIZE': { | |
| 'risk': 5, | |
| 'words': [ | |
| 'attach', 'detach', 'release', 'associate', 'disassociate', 'allocate', 'release' | |
| 'authorize', 'revoke', 'register', 'deregister', 'activate', 'deactivate', 'enable', | |
| ] | |
| }, | |
| 'INTERACT': { | |
| 'risk': 4, | |
| 'words': [ | |
| 'request', 'respond', 'query', 'search', 'send', 'resend', 'publish', 'notify' | |
| ] | |
| }, | |
| 'SIDE_EFFECT': { | |
| 'risk': 3, | |
| 'words': [ | |
| 'simulate', 'export', 'record', 'estimate', 'preview', 'validate' | |
| ] | |
| } | |
| } | |
| # from remaining words in action | |
| RISKS_ACTIONS.update({ | |
| 'TARGET_DATA': { | |
| 'risk': 1, | |
| 'words': [ | |
| 'object', 'bucket', 'database', 'content', 'table', 'text', 'tags' | |
| ] | |
| }, | |
| 'TARGET_ASPECT': { | |
| 'risk': 2, | |
| 'words': ['policy', 'attribute', 'permission', 'status', 'grants', 'settings', ] | |
| } | |
| }) | |
| def calculate_risk_level(score): | |
| levels = { | |
| 'NIL': 0, # need a keyword for "no risk", but don't want to use NONE bc python | |
| 'LOW': 2, | |
| 'MEDIUM': 5, | |
| 'HIGH': 7, | |
| 'CRITICAL': 10 | |
| } | |
| inv_levels = {v:k for k,v in levels.items()} | |
| score = mathutils.floor(score, levels.values()) | |
| risk_level = inv_levels[score] | |
| return risk_level | |
| def calculate_permission_risk(permission): | |
| service, action = strutils.split_punct_ws(permission) | |
| action_words = strutils.camel2under(action).split('_') | |
| tags = [] | |
| score = RISKS_SERVICES.get(service.lower(), 0) # start with score of (potentially) risky service (like iam, rds) | |
| for name, info in RISKS_ACTIONS.items(): | |
| matched = (set(action_words) & set(info['words'])) | |
| if bool(matched): | |
| tags.append(name) | |
| score += info['risk'] | |
| return tags, score | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment