Common Properties
¶
Policy
¶
Contains information about an attached policy.
Properties:
- PolicyDocument: A policy document object.
- PolicyName: The friendly name (not ARN) identifying the policy.
¶
PolicyDocument
¶
Contains information about a Policy Document. More info: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
Properties:
- Statement: A statement object.
- Id: An optional string to provide the policy document with an ID.
- Version: An optional date indicating the version of the policy document being used.
allowed_actions_with(self, pattern)
¶
Finds all statements which have at least one action with the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one action with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of statements.
"""
return [
statement
for statement in self._statement_as_list()
if statement.actions_with(pattern) and self._is_statement_effect_allow(statement.Effect)
]
allowed_principals_with(self, pattern)
¶
Finds all allowed principals which match the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def allowed_principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all allowed principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if self._is_statement_effect_allow(statement.Effect):
principals.update(statement.principals_with(pattern))
return list(principals)
get_allowed_actions(self)
¶
Find all allowed Actions which are specified in statements.
Returns:
Type | Description |
---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_allowed_actions(self) -> List[str]:
"""
Find all allowed Actions which are specified in statements.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
if self._is_statement_effect_allow(statement.Effect):
actions.update(statement.get_expanded_action_list())
return sorted(actions)
get_iam_actions(self, difference=False)
¶
Find all IAM Actions which are specified in statements.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
difference |
|
when True, the behaviour changes to find the difference between all IAM Actions and those specified in the statements of the policy. Default = False. |
False |
Returns:
Type | Description |
---|---|
List[str] |
List of matching actions. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def get_iam_actions(self, difference=False) -> List[str]:
"""
Find all IAM Actions which are specified in statements.
Arguments:
difference: when True, the behaviour changes to find the difference between all IAM Actions and those
specified in the statements of the policy. Default = False.
Returns:
List of matching actions.
"""
actions = set()
for statement in self._statement_as_list():
for action in statement.get_expanded_action_list():
if action.startswith("iam:"):
actions.add(action)
if difference:
return sorted(
set([action for action in CLOUDFORMATION_ACTIONS if action.lower().startswith("iam:")]).difference(
actions
)
)
return sorted(actions)
non_whitelisted_allowed_principals(self, whitelist)
¶
Find non-whitelisted allowed principals.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def non_whitelisted_allowed_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non-whitelisted allowed principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
principals = set()
for statement in self._statement_as_list():
if self._is_statement_effect_allow(statement.Effect):
principals.update(statement.non_whitelisted_principals(whitelist))
return list(principals)
statements_with(self, pattern)
¶
Finds all statements which have at least one resource with the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[pycfmodel.model.resources.properties.statement.Statement] |
List of statements. |
Source code in pycfmodel/model/resources/properties/policy_document.py
def statements_with(self, pattern: Pattern) -> List[Statement]:
"""
Finds all statements which have at least one resource with the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of statements.
"""
return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
¶
SecurityGroupEgressProp
¶
An outbound rule permits instances to send traffic from the specified IPv4 or IPv6 CIDR address range, or to the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- DestinationPrefixListId: The prefix list IDs for an AWS service.
- DestinationSecurityGroupId: The ID of the security group.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp
matches 0.0.0.0/0
, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv4_slash_zero(self) -> bool:
"""Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6
matches ::/0
, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py
def ipv6_slash_zero(self) -> bool:
"""Returns True if `CidrIpv6` matches `::/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
DBSecurityGroupIngressProp
¶
is_public(self)
¶
Returns True if CidrIp
is public otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def is_public(self) -> bool:
"""Returns True if `CidrIp` is public otherwise False."""
if not self.CIDRIP and (self.EC2SecurityGroupName or self.EC2SecurityGroupId):
return False
elif not self.CIDRIP:
return True
# Remove after this is fixed https://bugs.python.org/issue38655
return self.CIDRIP == IPv4Network(IPV4_ZERO_VALUE) or self.CIDRIP.is_global
SecurityGroupIngressProp
¶
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.
Properties:
- CidrIp: The IPv4 ranges.
- CidrIpv6: The IPv6 ranges.
- Description: The description of an egress (outbound) security group rule.
- FromPort: The start of port range for the TCP and UDP protocols.
- IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
- SourcePrefixListId: The prefix list IDs for an AWS service.
- SourceSecurityGroupId: The ID of the security group.
- SourceSecurityGroupName: The name of the source security group.
- SourceSecurityGroupOwnerId: The AWS account ID for the source security group.
- ToPort: The end of port range for the TCP and UDP protocols.
More info at AWS Docs
ipv4_slash_zero(self)
¶
Returns True if CidrIp
matches 0.0.0.0/0
, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv4_slash_zero(self) -> bool:
"""Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIp:
return False
return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)
ipv6_slash_zero(self)
¶
Returns True if CidrIpv6
matches ::/0
, otherwise False.
Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py
def ipv6_slash_zero(self) -> bool:
"""Returns True if `CidrIpv6` matches `::/0`, otherwise False."""
# Remove after this is fixed https://bugs.python.org/issue38655
if not self.CidrIpv6:
return False
return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)
¶
Statement
¶
Contains information about an statement of a policy document.
Properties:
- Sid: Optional identifier.
- Effect: Whether the statement results in an allow or an explicit deny.
- Principal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is allowed to access a resource.
- NotPrincipal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is not allowed or denied access to a resource.
- Action: Specific action or actions that will be allowed or denied.
- NotAction: Explicitly matches everything except the specified action or list of actions.
- Resource: Specifies the object or objects that the statement covers.
- NotResource: Specifies the object or objects that the statement does not cover.
- Condition: Element to match the condition key and value in the policy against values in the request context.
More info at AWS Docs
actions_with(self, pattern)
¶
Finds all actions which match the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def actions_with(self, pattern: Pattern) -> List[str]:
"""
Finds all actions which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of actions.
"""
return [action for action in self.get_action_list() if isinstance(action, str) and pattern.match(action)]
get_action_list(self, include_action=True, include_not_action=True)
¶
Gets all actions specified in Action
and NotAction
.
Returns:
Type | Description |
---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of actions. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_action_list(self, include_action=True, include_not_action=True) -> List[ResolvableStr]:
"""
Gets all actions specified in `Action` and `NotAction`.
Returns:
List of actions.
"""
action_list = []
included_actions = []
if include_action:
included_actions.append(self.Action)
if include_not_action:
included_actions.append(self.NotAction)
for actions in included_actions:
if isinstance(actions, List):
action_list.extend(actions)
elif isinstance(actions, (str, dict)):
action_list.append(actions)
return action_list
get_principal_list(self)
¶
Gets all actions specified in Principal
and NotPrincipal
.
Returns:
Type | Description |
---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_principal_list(self) -> List[ResolvableStr]:
"""
Gets all actions specified in `Principal` and `NotPrincipal`.
Returns:
List of principals.
"""
principal_list = []
for principals in [self.Principal, self.NotPrincipal]:
if isinstance(principals, list):
principal_list.extend(principals)
elif isinstance(principals, str):
principal_list.append(principals)
elif is_resolvable_dict(principals):
principal_list.append(principals)
elif isinstance(principals, Principal):
for value in principals.dict().values():
if isinstance(value, (str, FunctionDict)):
principal_list.append(value)
elif isinstance(value, list):
principal_list.extend(value)
elif principals is not None:
raise ValueError(f"Not supported type: {type(principals)}")
return principal_list
get_resource_list(self)
¶
Gets all resources specified in Resource
and NotResource
.
Returns:
Type | Description |
---|---|
List[Union[str, pycfmodel.model.base.FunctionDict]] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def get_resource_list(self) -> List[ResolvableStr]:
"""
Gets all resources specified in `Resource` and `NotResource`.
Returns:
List of resources.
"""
resource_list = []
for resources in [self.Resource, self.NotResource]:
if isinstance(resources, List):
resource_list.extend(resources)
elif isinstance(resources, (str, dict)):
resource_list.append(resources)
return resource_list
non_whitelisted_principals(self, whitelist)
¶
Find non whitelisted principals.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
whitelist |
List[str] |
List of whitelisted principals. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def non_whitelisted_principals(self, whitelist: List[str]) -> List[str]:
"""
Find non whitelisted principals.
Arguments:
whitelist: List of whitelisted principals.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and principal not in whitelist
]
principals_with(self, pattern)
¶
Finds all principals which match the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of principals. |
Source code in pycfmodel/model/resources/properties/statement.py
def principals_with(self, pattern: Pattern) -> List[str]:
"""
Finds all principals which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of principals.
"""
return [
principal
for principal in self.get_principal_list()
if isinstance(principal, str) and pattern.match(principal)
]
resources_with(self, pattern)
¶
Finds all resources which match the pattern.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
pattern |
Pattern |
Pattern to match. |
required |
Returns:
Type | Description |
---|---|
List[str] |
List of resources. |
Source code in pycfmodel/model/resources/properties/statement.py
def resources_with(self, pattern: Pattern) -> List[str]:
"""
Finds all resources which match the pattern.
Arguments:
pattern: Pattern to match.
Returns:
List of resources.
"""
return [
resource for resource in self.get_resource_list() if isinstance(resource, str) and pattern.match(resource)
]
¶
StatementCondition
¶
Contains the condition to be matched to apply the statement that belongs to.
Type | Operators | ...IfExists | ForAllValues... | ForAnyValue... |
---|---|---|---|---|
String | StringEquals | Yes | Yes | Yes |
String | StringNotEquals | Yes | Yes | Yes |
String | StringEqualsIgnoreCase | Yes | Yes | Yes |
String | StringNotEqualsIgnoreCase | Yes | Yes | Yes |
String | StringLike | Yes | Yes | Yes |
String | StringNotLike | Yes | Yes | Yes |
Numeric | NumericEquals | Yes | Yes | Yes |
Numeric | NumericNotEquals | Yes | Yes | Yes |
Numeric | NumericLessThan | Yes | Yes | Yes |
Numeric | NumericLessThanEquals | Yes | Yes | Yes |
Numeric | NumericGreaterThan | Yes | Yes | Yes |
Numeric | NumericGreaterThanEquals | Yes | Yes | Yes |
Date and time | DateEquals | Yes | Yes | Yes |
Date and time | DateNotEquals | Yes | Yes | Yes |
Date and time | DateLessThan | Yes | Yes | Yes |
Date and time | DateLessThanEquals | Yes | Yes | Yes |
Date and time | DateGreaterThan | Yes | Yes | Yes |
Date and time | DateGreaterThanEquals | Yes | Yes | Yes |
Boolean | Bool | Yes | Yes | Yes |
Binary | BinaryEquals | Yes | Yes | Yes |
IP address | IpAddress | Yes | Yes | Yes |
IP address | NotIpAddress | Yes | Yes | Yes |
Amazon Resource Name (ARN) | ArnEquals | Yes | Yes | Yes |
Amazon Resource Name (ARN) | ArnLike | Yes | Yes | Yes |
Amazon Resource Name (ARN) | ArnNotEquals | Yes | Yes | Yes |
Amazon Resource Name (ARN) | ArnNotLike | Yes | Yes | Yes |
Existence | Null | No | Yes | Yes |
Table based on AWS Docs
For conditions such as StringEquals
with multiple values for one key, we evaluate them using the logical OR
,
similar to if the condition key was ForAnyValue:StringEquals
. This follows the
documentation from AWS.
__eq__(self, other)
special
¶
Return self==value.
Source code in pycfmodel/model/resources/properties/statement_condition.py
def __eq__(self, other: Any) -> bool:
if isinstance(other, self.__class__):
return self.dict(exclude_unset={"eval"}) == other.dict(exclude_unset={"eval"})
else:
return self.dict() == other