Common Properties
¶
Policy
¶
Contains information about an attached policy.
Properties:
- PolicyDocument: A policy document object.
- PolicyName: The friendly name (not ARN) identifying the policy.
¶
PolicyDocument
¶
Contains information about an attached policy.
Properties:
- Statement: A statement object.
- Version
allowed_actions_with(self, pattern)
¶
Finds all statements which have at least one action with the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one action with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of [statements][pycfmodel.model.resources.properties.statement.Statement].
"""
return [
statement
for statement in self._statement_as_list()
if statement.actions_with(pattern) and statement.Effect == "Allow"
]
allowed_principals_with(self, pattern)
¶
Finds all allowed principals which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all allowed principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if statement.Effect == "Allow":
principals.update(statement.principals_with(pattern))
return list(principals)
get_allowed_actions(self)
¶
Find all allowed Actions which are specified in statements.
Returns:
| Type | Description |
|---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_allowed_actions(self) -> List[str]:
"""
Find all allowed Actions which are specified in statements.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
if statement.Effect.lower() == "allow":
actions.update(statement.get_expanded_action_list())
return sorted(actions)
get_iam_actions(self, difference=False)
¶
Find all IAM Actions which are specified in statements.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
difference |
|
when True, the behaviour changes to find the difference between all IAM Actions and those |
False |
Returns:
| Type | Description |
|---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_iam_actions(self, difference=False) -> List[str]:
"""
Find all IAM Actions which are specified in statements.
Arguments:
difference: when True, the behaviour changes to find the difference between all IAM Actions and those
specified in the statements of the policy. Default = False.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
for action in statement.get_expanded_action_list():
if action.startswith("iam:"):
actions.add(action)
if difference:
return sorted(
set([action for action in CLOUDFORMATION_ACTIONS if action.lower().startswith("iam:")]).difference(
actions
)
)
return sorted(actions)
non_whitelisted_allowed_principals(self, whitelist)
¶
Find non whitelisted allowed principals.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def non_whitelisted_allowed_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non whitelisted allowed principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if statement.Effect == "Allow":
principals.update(statement.non_whitelisted_principals(whitelist))
return list(principals)
statements_with(self, pattern)
¶
Finds all statements which have at least one resource with the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def statements_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one resource with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of [statements][pycfmodel.model.resources.properties.statement.Statement].
"""
return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
¶
SecurityGroupEgressProp
¶
An outbound rule permits instances to send traffic from the specified IPv4 or IPv6 CIDR address range, or to the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- DestinationPrefixListId: The prefix list IDs for an AWS service.
- DestinationSecurityGroupId: The ID of the security group.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp matches 0.0.0.0/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv4_slash_zero(self) -> bool:
"""Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6 matches ::/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv6_slash_zero(self) -> bool:
"""Returns True if `CidrIpv6` matches `::/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
SecurityGroupIngressProp
¶
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- SourcePrefixListId: The prefix list IDs for an AWS service.
- SourceSecurityGroupId: The ID of the security group.
- SourceSecurityGroupName: The name of the source security group.
- SourceSecurityGroupOwnerId: The AWS account ID for the source security group.
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp matches 0.0.0.0/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv4_slash_zero(self) -> bool:
"""Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6 matches ::/0, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv6_slash_zero(self) -> bool:
"""Returns True if `CidrIpv6` matches `::/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
Statement
¶
Contains information about an attached policy.
Properties:
- Sid: Optional identifier.
- Effect: Whether the statement results in an allow or an explicit deny.
- Principal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is allowed to access a resource.
- NotPrincipal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is not allowed or denied access to a resource.
- Action: Specific action or actions that will be allowed or denied.
- NotAction: Explicitly matches everything except the specified action or list of actions.
- Resource: Specifies the object or objects that the statement covers.
- NotResource: Specifies the object or objects that the statement does not cover.
- Condition: Element to match the condition key and value in the policy against values in the request context.
More info at AWS Docs
actions_with(self, pattern)
¶
Finds all actions which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def actions_with(self, pattern: Pattern) -> List[str]:
"""
Finds all actions which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of actions.
"""
return [action for action in self.get_action_list() if isinstance(action, str) and pattern.match(action)]
get_action_list(self, include_action=True, include_not_action=True)
¶
Gets all actions specified in Action and NotAction.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_action_list(self, include_action=True, include_not_action=True) -> List[ResolvableStr]:
"""
Gets all actions specified in `Action` and `NotAction`.
Returns:
List of actions.
"""
action_list = []
included_actions = []
if include_action:
included_actions.append(self.Action)
if include_not_action:
included_actions.append(self.NotAction)
for actions in included_actions:
if isinstance(actions, List):
action_list.extend(actions)
elif isinstance(actions, (str, dict)):
action_list.append(actions)
return action_list
get_principal_list(self)
¶
Gets all actions specified in Principal and NotPrincipal.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_principal_list(self) -> List[ResolvableStr]:
"""
Gets all actions specified in `Principal` and `NotPrincipal`.
Returns:
List of principals.
"""
principal_list = []
for principals in [self.Principal, self.NotPrincipal]:
if isinstance(principals, list):
principal_list.extend(principals)
elif isinstance(principals, str):
principal_list.append(principals)
elif is_resolvable_dict(principals):
principal_list.append(principals)
elif isinstance(principals, dict):
for value in principals.values():
if isinstance(value, (str, Dict)):
principal_list.append(value)
elif isinstance(value, List):
principal_list.extend(value)
elif principals is not None:
raise ValueError(f"Not supported type: {type(principals)}")
return principal_list
get_resource_list(self)
¶
Gets all resources specified in Resource and NotResource.
Returns:
| Type | Description |
|---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_resource_list(self) -> List[ResolvableStr]:
"""
Gets all resources specified in `Resource` and `NotResource`.
Returns:
List of resources.
"""
resource_list = []
for resources in [self.Resource, self.NotResource]:
if isinstance(resources, List):
resource_list.extend(resources)
elif isinstance(resources, (str, dict)):
resource_list.append(resources)
return resource_list
non_whitelisted_principals(self, whitelist)
¶
Find non whitelisted principals.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def non_whitelisted_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non whitelisted principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and principal not in whitelist
]
principals_with(self, pattern)
¶
Finds all principals which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and pattern.match(principal)
]
resources_with(self, pattern)
¶
Finds all resources which match the pattern.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
| Type | Description |
|---|---|
List[str] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def resources_with(self, pattern: Pattern) -> List[str]:
"""
Finds all resources which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of resources.
"""
return [
resource for resource in self.get_resource_list() if isinstance(resource, str) and pattern.match(resource)
]
¶
StatementCondition
¶
Contains the condition to be matched to apply the statement that belongs to.
| Type | Operators | ...IfExists | ForAllValues... | ForAnyValue... |
|---|---|---|---|---|
| String | StringEquals | Yes | Yes | Yes |
| String | StringNotEquals | Yes | Yes | Yes |
| String | StringEqualsIgnoreCase | Yes | Yes | Yes |
| String | StringNotEqualsIgnoreCase | Yes | Yes | Yes |
| String | StringLike | Yes | Yes | Yes |
| String | StringNotLike | Yes | Yes | Yes |
| Numeric | NumericEquals | Yes | Yes | Yes |
| Numeric | NumericNotEquals | Yes | Yes | Yes |
| Numeric | NumericLessThan | Yes | Yes | Yes |
| Numeric | NumericLessThanEquals | Yes | Yes | Yes |
| Numeric | NumericGreaterThan | Yes | Yes | Yes |
| Numeric | NumericGreaterThanEquals | Yes | Yes | Yes |
| Date and time | DateEquals | Yes | Yes | Yes |
| Date and time | DateNotEquals | Yes | Yes | Yes |
| Date and time | DateLessThan | Yes | Yes | Yes |
| Date and time | DateLessThanEquals | Yes | Yes | Yes |
| Date and time | DateGreaterThan | Yes | Yes | Yes |
| Date and time | DateGreaterThanEquals | Yes | Yes | Yes |
| Boolean | Bool | Yes | Yes | Yes |
| Binary | BinaryEquals | Yes | Yes | Yes |
| IP address | IpAddress | Yes | Yes | Yes |
| IP address | NotIpAddress | Yes | Yes | Yes |
| Amazon Resource Name (ARN) | ArnEquals | Yes | Yes | Yes |
| Amazon Resource Name (ARN) | ArnLike | Yes | Yes | Yes |
| Amazon Resource Name (ARN) | ArnNotEquals | Yes | Yes | Yes |
| Amazon Resource Name (ARN) | ArnNotLike | Yes | Yes | Yes |
| Existence | Null | No | Yes | Yes |
Table based on AWS Docs
For conditions such as StringEquals with multiple values for one key, we evaluate them using the logical OR,
similar to if the condition key was ForAnyValue:StringEquals. This follows the
documentation from AWS.
__eq__(self, other)
special
¶
Return self==value.
Source code in pycfmodel/model/resources/properties/statement_condition.py
def __eq__(self, other: Any) -> bool:
if isinstance(other, self.__class__):
return self.dict(exclude_unset={"eval"}) == other.dict(exclude_unset={"eval"})
else:
return self.dict() == other