recommendations

package

v0.2.0 Latest Latest Go to latest Published: Jul 30, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/common-fate/iamzero

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetRoleOrUserNameFromARN(arn string) (string, error)
func PolicyStatusIsValid(status string) bool
type AWSAction
- func (a *AWSAction) GetSelectedAdvisory() Advice
- func (a *AWSAction) SelectAdvisory(id string) error
type AWSData
type AWSEvent
type AWSIAMPolicy
type AWSIAMPrincipal
type AWSIAMStatement
type AWSIdentity
type Advice
type AdviceFactory
- func GetJSONAdvice(r JSONPolicyParams) AdviceFactory
type Advisor
- func NewAdvisor() *Advisor
- func (a *Advisor) Advise(e AWSEvent) ([]Advice, error)
type Description
type JSONAdvice
- func (a *JSONAdvice) Apply(log *zap.SugaredLogger) error
- func (a *JSONAdvice) Details() RecommendationDetails
- func (a *JSONAdvice) GetID() string
type JSONPolicyParams
type KMSRecommendation
- func (r *KMSRecommendation) Apply(log *zap.SugaredLogger) error
- func (r *KMSRecommendation) Details() RecommendationDetails
- func (r *KMSRecommendation) GetID() string
type Policy
- func (p *Policy) RecalculateDocument(actions []AWSAction)
type RecommendationDetails
type Resource
type Statement

Constants ¶

View Source

const (
	PolicyStatusActive   = "active"
	PolicyStatusResolved = "resolved"
)

View Source

const (
	AlertActive   = "active"
	AlertIgnored  = "ignored"
	AlertFixed    = "fixed"
	AlertApplying = "applying"
)

Variables ¶

This section is empty.

Functions ¶

func GetRoleOrUserNameFromARN ¶

func GetRoleOrUserNameFromARN(arn string) (string, error)

GetRoleOrUserNameFromARN parses an ARN to return a role name, or a user name if it is an IAM user or returns an error if the ARN is malformed.

func PolicyStatusIsValid ¶

func PolicyStatusIsValid(status string) bool

Types ¶

type AWSAction ¶

type AWSAction struct {
	ID                 string     `json:"id"`
	PolicyID           string     `json:"policyId"`
	Event              AWSEvent   `json:"event"`
	Status             string     `json:"status"`
	Time               time.Time  `json:"time"`
	Resources          []Resource `json:"resources"`
	Recommendations    []Advice   `json:"recommendations"`
	HasRecommendations bool       `json:"hasRecommendations"`
	// Enabled indicates whether this action is used in a least-privilege policy
	Enabled bool `json:"enabled"`
	// SelectedAdvisoryID is the ID of the advisory selected by the user to resolve the policy
	SelectedAdvisoryID string `json:"selectedAdvisoryId"`
}

func (*AWSAction) GetSelectedAdvisory ¶

func (a *AWSAction) GetSelectedAdvisory() Advice

GetSelectedAdvisory returns the Advice object matching the action's SelectedAdvisoryID

func (*AWSAction) SelectAdvisory ¶

func (a *AWSAction) SelectAdvisory(id string) error

SelectAdvisory sets the `SelectedAdvisoryID` field. Returns an error if the advisory ID does not exist in `Recommendations`

type AWSData ¶

type AWSData struct {
	Service          string                 `json:"service"`
	Region           string                 `json:"region"`
	Operation        string                 `json:"operation"`
	Parameters       map[string]interface{} `json:"parameters"`
	ExceptionMessage string                 `json:"exceptionMessage"`
	ExceptionCode    string                 `json:"exceptionCode"`
}

type AWSEvent ¶

type AWSEvent struct {
	Time     string      `json:"time"`
	Data     AWSData     `json:"data"`
	Identity AWSIdentity `json:"identity"`
}

AWSEvent is an API call logged by an AWS SDK instrumented with iamzero

type AWSIAMPolicy ¶

type AWSIAMPolicy struct {
	Version   string
	Id        *string
	Statement []AWSIAMStatement
}

type AWSIAMPrincipal ¶

type AWSIAMPrincipal struct {
	AWS string
}

type AWSIAMStatement ¶

type AWSIAMStatement struct {
	Sid       string
	Effect    string
	Action    []string
	Principal *AWSIAMPrincipal `json:",omitempty"`
	Resource  []string
}

type AWSIdentity ¶

type AWSIdentity struct {
	User    string `json:"user"`
	Role    string `json:"role"`
	Account string `json:"account"`
}

type Advice ¶

type Advice interface {
	Apply(log *zap.SugaredLogger) error
	GetID() string
	Details() RecommendationDetails
}

type AdviceFactory ¶

type AdviceFactory = func(e AWSEvent) (Advice, error)

AdviceFactory generates Advice based on a provided event

func GetJSONAdvice ¶

func GetJSONAdvice(r JSONPolicyParams) AdviceFactory

type Advisor ¶

type Advisor struct {
	AlertsMapping map[string][]AdviceFactory
}

func NewAdvisor ¶

func NewAdvisor() *Advisor

func (*Advisor) Advise ¶

func (a *Advisor) Advise(e AWSEvent) ([]Advice, error)

type Description ¶

type Description struct {
	AppliedTo string
	Type      string
	Policy    interface{}
}

type JSONAdvice ¶

type JSONAdvice struct {
	ID        string
	AWSPolicy AWSIAMPolicy
	Comment   string
	RoleName  string
	Resources []Resource
}

func (*JSONAdvice) Apply ¶

func (a *JSONAdvice) Apply(log *zap.SugaredLogger) error

Apply the recommendation by provisioning and attaching an IAM policy to the role Note: we currently don't expose this functionality through the IAM Zero console and could consider removing it for now until we further explore use cases around IAM role deployment.

func (*JSONAdvice) Details ¶

func (a *JSONAdvice) Details() RecommendationDetails

func (*JSONAdvice) GetID ¶

func (a *JSONAdvice) GetID() string

type JSONPolicyParams ¶

type JSONPolicyParams struct {
	Policy  []Statement
	Comment string
	DocLink string
}

type KMSRecommendation ¶

type KMSRecommendation struct {
	ID        string
	AccountID string
	KeyARN    string
	RoleARN   string
	Comment   string
}

func (*KMSRecommendation) Apply ¶

func (r *KMSRecommendation) Apply(log *zap.SugaredLogger) error

Apply the recommendation by creating a grant for the KMS key

func (*KMSRecommendation) Details ¶

func (r *KMSRecommendation) Details() RecommendationDetails

func (*KMSRecommendation) GetID ¶

func (r *KMSRecommendation) GetID() string

type Policy ¶

type Policy struct {
	ID          string       `json:"id"`
	Identity    AWSIdentity  `json:"identity"`
	LastUpdated time.Time    `json:"lastUpdated"`
	Token       tokens.Token `json:"token"`
	EventCount  int          `json:"eventCount"`
	Document    AWSIAMPolicy `json:"document"`
	// Status is either "active" or "resolved"
	Status string `json:"status"`
}

Policy is a least-privilege policy generated by IAM Zero

func (*Policy) RecalculateDocument ¶

func (p *Policy) RecalculateDocument(actions []AWSAction)

RecalculateDocument rebuilds the policy document based on the actions this initial implementation is naive and doesn't deduplicate or aggregate policies.

type RecommendationDetails ¶

type RecommendationDetails struct {
	ID          string
	Comment     string
	Resources   []Resource
	Description []Description
}

type Resource ¶

type Resource struct {
	ID string `json:"id"`
	// a friendly name for the resource
	Name string `json:"name"`
}

Resource is a cloud resource such as an S3 bucket which permissions can be granted for Currently we just use this in the UI to display a human-friendly list of resources for each recorded action.

type Statement ¶

type Statement struct {
	Action   []string
	Resource []string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL