Common Properties

Property

This class is used for all property types that we haven't had time to implement yet.

Properties:

  • Condition

Policy

Contains information about an attached policy.

Properties:

  • PolicyDocument: A policy document object.
  • PolicyName: The friendly name (not ARN) identifying the policy.

PolicyDocument

Contains information about an attached policy.

Properties:

allowed_actions_with(self, pattern)

Finds all statements which have at least one action with the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[pycfmodel.model.resources.properties.statement.Statement]

List of statements.
Source code in pycfmodel/model/resources/properties/policy_document.py 
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
 
def allowed_actions_with(self, pattern: Pattern) -> List[Statement]:
    """
    Finds all statements which have at least one action with the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of [statements][pycfmodel.model.resources.properties.statement.Statement].
    """
    return [
        statement
        for statement in self._statement_as_list()
        if statement.actions_with(pattern) and statement.Effect == "Allow"
    ]

allowed_principals_with(self, pattern)

Finds all allowed principals which match the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[str]

List of principals.
Source code in pycfmodel/model/resources/properties/policy_document.py 
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
 
def allowed_principals_with(self, pattern: Pattern) -> List[str]:
    """
    Finds all allowed principals which match the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of principals.
    """
    principals = set()
    for statement in self._statement_as_list():
        if statement.Effect == "Allow":
            principals.update(statement.principals_with(pattern))
    return list(principals)

get_iam_actions(self, difference=False)

Find all IAM Actions which are specified in statements.

Parameters:

Name Type Description Default
difference

when True, the behaviour changes to find the difference between all IAM Actions and those specified in the statements of the policy. Default = False.

 False

Returns:

Type Description
List[str]

List of matching actions.
Source code in pycfmodel/model/resources/properties/policy_document.py 
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
 
def get_iam_actions(self, difference=False) -> List[str]:
    """
    Find all IAM Actions which are specified in statements.

    Arguments:
        difference: when True, the behaviour changes to find the difference between all IAM Actions and those specified in the statements of the policy. Default = False.

    Returns:
        List of matching actions.
    """
    actions = set()
    for statement in self._statement_as_list():
        for action in statement.get_action_list():
            if not isinstance(action, str):
                continue

            pattern = re.compile(f"^{action}$".replace("*", ".*"), re.IGNORECASE)
            for iam in _IAM_ACTIONS:
                if pattern.match(iam):
                    actions.add(iam)

    if difference:
        return sorted(set(_IAM_ACTIONS).difference(actions))

    return sorted(actions)

non_whitelisted_allowed_principals(self, whitelist)

Find non whitelisted allowed principals.

Parameters:

Name Type Description Default
whitelist List[str]

List of whitelisted principals.

 required

Returns:

Type Description
List[str]

List of principals.
Source code in pycfmodel/model/resources/properties/policy_document.py 
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
 
def non_whitelisted_allowed_principals(self, whitelist: List[str]) -> List[str]:
    """
    Find non whitelisted allowed principals.

    Arguments:
        whitelist: List of whitelisted principals.

    Returns:
        List of principals.
    """
    principals = set()
    for statement in self._statement_as_list():
        if statement.Effect == "Allow":
            principals.update(statement.non_whitelisted_principals(whitelist))
    return list(principals)

statements_with(self, pattern)

Finds all statements which have at least one resource with the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[pycfmodel.model.resources.properties.statement.Statement]

List of statements.
Source code in pycfmodel/model/resources/properties/policy_document.py 
162
163
164
165
166
167
168
169
170
171
172
 
def statements_with(self, pattern: Pattern) -> List[Statement]:
    """
    Finds all statements which have at least one resource with the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of [statements][pycfmodel.model.resources.properties.statement.Statement].
    """
    return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]

SecurityGroupEgressProp

An outbound rule permits instances to send traffic from the specified IPv4 or IPv6 CIDR address range, or to the instances associated with the specified security group.

Properties:

  • CidrIp: The IPv4 ranges.
  • CidrIpv6: The IPv6 ranges.
  • Description: The description of an egress (outbound) security group rule.
  • DestinationPrefixListId: The prefix list IDs for an AWS service.
  • DestinationSecurityGroupId: The ID of the security group.
  • FromPort: The start of port range for the TCP and UDP protocols.
  • IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
  • ToPort: The end of port range for the TCP and UDP protocols.

More info at AWS Docs

ipv4_slash_zero(self)

Returns True if CidrIp matches 0.0.0.0/0, otherwise False.

Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py 
51
52
53
54
55
56
 
def ipv4_slash_zero(self) -> bool:
    """ Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False. """
    # Remove after this is fixed https://bugs.python.org/issue38655
    if not self.CidrIp:
        return False
    return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)

ipv6_slash_zero(self)

Returns True if CidrIpv6 matches ::/0, otherwise False.

Source code in pycfmodel/model/resources/properties/security_group_egress_prop.py 
58
59
60
61
62
63
 
def ipv6_slash_zero(self) -> bool:
    """ Returns True if `CidrIpv6` matches `::/0`, otherwise False. """
    # Remove after this is fixed https://bugs.python.org/issue38655
    if not self.CidrIpv6:
        return False
    return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)

SecurityGroupIngressProp

An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified security group.

Properties:

  • CidrIp: The IPv4 ranges.
  • CidrIpv6: The IPv6 ranges.
  • Description: The description of an egress (outbound) security group rule.
  • FromPort: The start of port range for the TCP and UDP protocols.
  • IpProtocol: The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
  • SourcePrefixListId: The prefix list IDs for an AWS service.
  • SourceSecurityGroupId: The ID of the security group.
  • SourceSecurityGroupName: The name of the source security group.
  • SourceSecurityGroupOwnerId: The AWS account ID for the source security group.
  • ToPort: The end of port range for the TCP and UDP protocols.

More info at AWS Docs

ipv4_slash_zero(self)

Returns True if CidrIp matches 0.0.0.0/0, otherwise False.

Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py 
55
56
57
58
59
60
 
def ipv4_slash_zero(self) -> bool:
    """ Returns True if `CidrIp` matches `0.0.0.0/0`, otherwise False. """
    # Remove after this is fixed https://bugs.python.org/issue38655
    if not self.CidrIp:
        return False
    return self.CidrIp == IPv4Network(IPV4_ZERO_VALUE)

ipv6_slash_zero(self)

Returns True if CidrIpv6 matches ::/0, otherwise False.

Source code in pycfmodel/model/resources/properties/security_group_ingress_prop.py 
62
63
64
65
66
67
 
def ipv6_slash_zero(self) -> bool:
    """ Returns True if `CidrIpv6` matches `::/0`, otherwise False. """
    # Remove after this is fixed https://bugs.python.org/issue38655
    if not self.CidrIpv6:
        return False
    return self.CidrIpv6 == IPv6Network(IPV6_ZERO_VALUE)

Statement

Contains information about an attached policy.

Properties:

  • Sid: Optional identifier.
  • Effect: Whether the statement results in an allow or an explicit deny.
  • Principal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is allowed to access a resource.
  • NotPrincipal: Specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal that is not allowed or denied access to a resource.
  • Action: Specific action or actions that will be allowed or denied.
  • NotAction: Explicitly matches everything except the specified action or list of actions.
  • Resource: Specifies the object or objects that the statement covers.
  • NotResource: Specifies the object or objects that the statement does not cover.

More info at AWS Docs

actions_with(self, pattern)

Finds all actions which match the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[str]

List of actions.
Source code in pycfmodel/model/resources/properties/statement.py 
 96
 97
 98
 99
100
101
102
103
104
105
106
 
def actions_with(self, pattern: Pattern) -> List[str]:
    """
    Finds all actions which match the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of actions.
    """
    return [action for action in self.get_action_list() if isinstance(action, str) and pattern.match(action)]

get_action_list(self)

Gets all actions specified in Action and NotAction.

Returns:

Type Description
List[Union[str, pycfmodel.model.base.FunctionDict]]

List of actions.
Source code in pycfmodel/model/resources/properties/statement.py 
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
def get_action_list(self) -> List[ResolvableStr]:
    """
    Gets all actions specified in `Action` and `NotAction`.

    Returns:
        List of actions.
    """
    action_list = []
    for actions in [self.Action, self.NotAction]:
        if isinstance(actions, List):
            action_list.extend(actions)
        elif isinstance(actions, (str, dict)):
            action_list.append(actions)
    return action_list

get_principal_list(self)

Gets all actions specified in Principal and NotPrincipal.

Returns:

Type Description
List[Union[str, pycfmodel.model.base.FunctionDict]]

List of principals.
Source code in pycfmodel/model/resources/properties/statement.py 
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
def get_principal_list(self) -> List[ResolvableStr]:
    """
    Gets all actions specified in `Principal` and `NotPrincipal`.

    Returns:
        List of principals.
    """
    principal_list = []
    for principals in [self.Principal, self.NotPrincipal]:
        if isinstance(principals, list):
            principal_list.extend(principals)
        elif isinstance(principals, str):
            principal_list.append(principals)
        elif is_resolvable_dict(principals):
            principal_list.append(principals)
        elif isinstance(principals, dict):
            for value in principals.values():
                if isinstance(value, (str, Dict)):
                    principal_list.append(value)
                elif isinstance(value, List):
                    principal_list.extend(value)
        elif principals is not None:
            raise ValueError(f"Not supported type: {type(principals)}")
    return principal_list

get_resource_list(self)

Gets all resources specified in Resource and NotResource.

Returns:

Type Description
List[Union[str, pycfmodel.model.base.FunctionDict]]

List of resources.
Source code in pycfmodel/model/resources/properties/statement.py 
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
def get_resource_list(self) -> List[ResolvableStr]:
    """
    Gets all resources specified in `Resource` and `NotResource`.

    Returns:
        List of resources.
    """
    resource_list = []
    for resources in [self.Resource, self.NotResource]:
        if isinstance(resources, List):
            resource_list.extend(resources)
        elif isinstance(resources, (str, dict)):
            resource_list.append(resources)
    return resource_list

non_whitelisted_principals(self, whitelist)

Find non whitelisted principals.

Parameters:

Name Type Description Default
whitelist List[str]

List of whitelisted principals.

 required

Returns:

Type Description
List[str]

List of principals.
Source code in pycfmodel/model/resources/properties/statement.py 
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
def non_whitelisted_principals(self, whitelist: List[str]) -> List[str]:
    """
    Find non whitelisted principals.

    Arguments:
        whitelist: List of whitelisted principals.

    Returns:
        List of principals.
    """
    return [
        principal
        for principal in self.get_principal_list()
        if isinstance(principal, str) and principal not in whitelist
    ]

principals_with(self, pattern)

Finds all principals which match the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[str]

List of principals.
Source code in pycfmodel/model/resources/properties/statement.py 
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
def principals_with(self, pattern: Pattern) -> List[str]:
    """
    Finds all principals which match the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of principals.
    """
    return [
        principal
        for principal in self.get_principal_list()
        if isinstance(principal, str) and pattern.match(principal)
    ]

resources_with(self, pattern)

Finds all resources which match the pattern.

Parameters:

Name Type Description Default
pattern Pattern

Pattern to match.

 required

Returns:

Type Description
List[str]

List of resources.
Source code in pycfmodel/model/resources/properties/statement.py 
124
125
126
127
128
129
130
131
132
133
134
135
136
 
def resources_with(self, pattern: Pattern) -> List[str]:
    """
    Finds all resources which match the pattern.

    Arguments:
        pattern: Pattern to match.

    Returns:
        List of resources.
    """
    return [
        resource for resource in self.get_resource_list() if isinstance(resource, str) and pattern.match(resource)
    ]