%global _empty_manifest_terminate_build 0 Name: python-aws-iam-tester Version: 1.0.3 Release: 1 Summary: AWS IAM tester - simple command-line tool to check permissions handed out to IAM users and roles. License: MIT URL: https://github.com/gercograndia/aws-iam-tester Source0: https://mirrors.aliyun.com/pypi/web/packages/b2/85/3bcd231a278a6ac396d930443ad8324eb0841f8237b28f32dfecda2d47c7/aws_iam_tester-1.0.3.tar.gz BuildArch: noarch Requires: python3-boto3 Requires: python3-pyyaml Requires: python3-click Requires: python3-termcolor Requires: python3-outdated Requires: python3-tabulate %description user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported - "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$" ``` Then you define a list of tests, each consisting at least of a set of: - actions - resources - the expected result (should it fail or succeed) ```yaml # List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator. # For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html tests: - actions: # list of actions to validate - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" ``` Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles. The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). ```yaml - actions: # Same list of actions, but now check (with a custom context) whether - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" limit_to: # check this list for the admin users - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$" # test if the admins are required to use multi factor authentication custom_context: - context_key_name: aws:MultiFactorAuthPresent context_key_values: false context_key_type: boolean ``` Or if you want to do that for **all** tests you can use the `global_limit_to`: %package -n python3-aws-iam-tester Summary: AWS IAM tester - simple command-line tool to check permissions handed out to IAM users and roles. Provides: python-aws-iam-tester BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-pip %description -n python3-aws-iam-tester user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported - "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$" ``` Then you define a list of tests, each consisting at least of a set of: - actions - resources - the expected result (should it fail or succeed) ```yaml # List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator. # For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html tests: - actions: # list of actions to validate - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" ``` Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles. The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). ```yaml - actions: # Same list of actions, but now check (with a custom context) whether - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" limit_to: # check this list for the admin users - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$" # test if the admins are required to use multi factor authentication custom_context: - context_key_name: aws:MultiFactorAuthPresent context_key_values: false context_key_type: boolean ``` Or if you want to do that for **all** tests you can use the `global_limit_to`: %package help Summary: Development documents and examples for aws-iam-tester Provides: python3-aws-iam-tester-doc %description help user_landing_account: 0123456789 # ID of AWS Account that is allowed to assume roles in the test account global_exemptions: # The roles and/or users below will be ignored in all tests. Regular expressions are supported - "^arn:aws:iam::(\\d{12}):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d{12}):role/AWSCloudFormationStackSetExecutionRole$" ``` Then you define a list of tests, each consisting at least of a set of: - actions - resources - the expected result (should it fail or succeed) ```yaml # List of tests to execute. In general the configurations follow the rules of the AWS IAM Policy Simulator. # For more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html tests: - actions: # list of actions to validate - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" ``` Rather than using all users and roles (without exemptions) you can also limit your test to a particular set of users and roles. The test below does that, including defining a custom context that specifies multi factor authentication is disabled when running the test. By default the context under which the simulations are run assumes MFA is enabled, but you can override that with the `custom_context` element. For more information see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). ```yaml - actions: # Same list of actions, but now check (with a custom context) whether - "*:*" - iam:* - iam:AddUser* - iam:Attach* - iam:Create* - iam:Delete* - iam:Detach* - iam:Pass* - iam:Put* - iam:Remove* - iam:UpdateAccountPasswordPolicy - sts:AssumeRole - sts:AssumeRoleWithSAML expected_result: fail # 'fail' or 'succeed' resources: # list of resources to validate against - "*" limit_to: # check this list for the admin users - "^arn:aws:iam::(\\d*):user/(.*)(ADMIN|admin)(.*)$" - "^arn:aws:iam::(\\d*):role/(.*)(ADMIN|admin)(.*)$" # test if the admins are required to use multi factor authentication custom_context: - context_key_name: aws:MultiFactorAuthPresent context_key_values: false context_key_type: boolean ``` Or if you want to do that for **all** tests you can use the `global_limit_to`: %prep %autosetup -n aws_iam_tester-1.0.3 %build %py3_build %install %py3_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi pushd %{buildroot} if [ -d usr/lib ]; then find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/lib64 ]; then find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/bin ]; then find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/sbin ]; then find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi touch doclist.lst if [ -d usr/share/man ]; then find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst fi popd mv %{buildroot}/filelist.lst . mv %{buildroot}/doclist.lst . %files -n python3-aws-iam-tester -f filelist.lst %dir %{python3_sitelib}/* %files help -f doclist.lst %{_docdir}/* %changelog * Fri Jun 09 2023 Python_Bot - 1.0.3-1 - Package Spec generated