Merge pull request #394 from kmcquade/fix/GH-393-overlap-scenarios-missing-services

Fixes issue with IAM definition having missing actions for several popular services

Author: kmcquade

policy_sentry/shared/awsdocs.py

@@ -161,6 +161,7 @@ def create_database(destination_directory, access_level_overrides_file):
         parents=True, exist_ok=True
     )
 
+    # This holds the entire IAM definition
     schema = {}
 
     # for filename in ['list_amazonathena.partial.html']:
@@ -191,27 +192,30 @@ def create_database(destination_directory, access_level_overrides_file):
             title = title.replace("</h1>", "")
             service_name = chomp(title)
 
-            prefix = ""
+            service_prefix = ""
             for c in main_content.find("h1", class_="topictitle").parent.children:
                 if "prefix" in str(c):
-                    prefix = str(c)
-                    prefix = prefix.split('<code class="code">')[1]
-                    prefix = chomp(prefix.split("</code>")[0])
+                    service_prefix = str(c)
+                    service_prefix = service_prefix.split('<code class="code">')[1]
+                    service_prefix = chomp(service_prefix.split("</code>")[0])
                     break
-            # The URL to that service's Actions, Resources, and Condition Keys page
-            service_authorization_url_prefix = "https://docs.aws.amazon.com/service-authorization/latest/reference"
-            service_authorization_url = f"{service_authorization_url_prefix}/{filename}"
-            service_schema = {
-                "service_name": service_name,
-                "prefix": prefix,
-                "service_authorization_url": service_authorization_url,
-                "privileges": {},
-                "resources": {},
-                "conditions": {},
-            }
+
+            if service_prefix not in schema.keys():
+                schema[service_prefix] = {}
+                # The URL to that service's Actions, Resources, and Condition Keys page
+                service_authorization_url_prefix = "https://docs.aws.amazon.com/service-authorization/latest/reference"
+                service_authorization_url = f"{service_authorization_url_prefix}/{filename}"
+                schema[service_prefix] = {
+                    "service_name": service_name,
+                    "prefix": service_prefix,
+                    "service_authorization_url": service_authorization_url,
+                    "privileges": {},
+                    "resources": {},
+                    "conditions": {},
+                }
 
             access_level_overrides_cfg = get_action_access_level_overrides_from_yml(
-                prefix, access_level_overrides_file
+                service_prefix, access_level_overrides_file
             )
 
             tables = main_content.find_all("div", class_="table-contents")
@@ -256,7 +260,6 @@ def create_database(destination_directory, access_level_overrides_file):
                         priv = chomp(link.text)
                     if priv == "":
                         priv = chomp(cells[0].text)
-                    service_prefix = prefix
                     action_name = priv
                     description = chomp(cells[1].text)
                     access_level = chomp(cells[2].text)
@@ -338,7 +341,7 @@ def create_database(destination_directory, access_level_overrides_file):
                         "api_documentation_link": api_documentation_link
                     }
 
-                    service_schema["privileges"][priv] = privilege_schema
+                    schema[service_prefix]["privileges"][priv] = privilege_schema
                     row_number += 1
 
             # Get resource table
@@ -368,7 +371,7 @@ def create_database(destination_directory, access_level_overrides_file):
                     for condition in cells[2].find_all("p"):
                         conditions.append(chomp(condition.text))
 
-                    service_schema["resources"][resource] = {
+                    schema[service_prefix]["resources"][resource] = {
                         "resource": resource,
                         "arn": arn,
                         "condition_keys": conditions
@@ -398,15 +401,15 @@ def create_database(destination_directory, access_level_overrides_file):
                     description = chomp(cells[1].text)
                     value_type = chomp(cells[2].text)
 
-                    service_schema["conditions"][condition] = {
+                    schema[service_prefix]["conditions"][condition] = {
                         "condition": condition,
                         "description": description,
                         "type": value_type,
                     }
-            this_service_schema = {
-                service_prefix: service_schema
-            }
-            schema.update(this_service_schema)
+            # this_service_schema = {
+            #     service_prefix: service_schema
+            # }
+            # schema.update(this_service_schema)
 
     iam_definition_file = os.path.join(destination_directory, "iam-definition.json")
     with open(iam_definition_file, "w") as file:

policy_sentry/shared/data/docs/list_amazoncomprehend.html

@@ -678,6 +678,45 @@ <h2 id="amazoncomprehend-actions-as-permissions">
                <td>
                </td>
               </tr>
+              <tr>
+               <td rowspan="2">
+                <a id="amazoncomprehend-DeleteResourcePolicy">
+                </a>
+                <a href="https://docs.aws.amazon.com/comprehend/latest/dg/API_DeleteResourcePolicy.html">
+                 DeleteResourcePolicy
+                </a>
+               </td>
+               <td rowspan="2">
+                Grants permission to remove policy on resource
+               </td>
+               <td rowspan="2">
+                Write
+               </td>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-document-classifier">
+                  document-classifier*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
+              <tr>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-entity-recognizer">
+                  entity-recognizer*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
               <tr>
                <td>
                 <a id="amazoncomprehend-DescribeDocumentClassificationJob">
@@ -925,6 +964,45 @@ <h2 id="amazoncomprehend-actions-as-permissions">
                <td>
                </td>
               </tr>
+              <tr>
+               <td rowspan="2">
+                <a id="amazoncomprehend-DescribeResourcePolicy">
+                </a>
+                <a href="https://docs.aws.amazon.com/comprehend/latest/dg/API_DescribeResourcePolicy.html">
+                 DescribeResourcePolicy
+                </a>
+               </td>
+               <td rowspan="2">
+                Grants permission to read attached policy on resource
+               </td>
+               <td rowspan="2">
+                Read
+               </td>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-document-classifier">
+                  document-classifier*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
+              <tr>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-entity-recognizer">
+                  entity-recognizer*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
               <tr>
                <td>
                 <a id="amazoncomprehend-DescribeSentimentDetectionJob">
@@ -1108,6 +1186,68 @@ <h2 id="amazoncomprehend-actions-as-permissions">
                <td>
                </td>
               </tr>
+              <tr>
+               <td rowspan="3">
+                <a id="amazoncomprehend-ImportModel">
+                </a>
+                <a href="https://docs.aws.amazon.com/comprehend/latest/dg/API_ImportModel.html">
+                 ImportModel
+                </a>
+               </td>
+               <td rowspan="3">
+                Grants permission to import a trained Comprehend model
+               </td>
+               <td rowspan="3">
+                Write
+               </td>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-document-classifier">
+                  document-classifier*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
+              <tr>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-entity-recognizer">
+                  entity-recognizer*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
+              <tr>
+               <td>
+               </td>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-aws_RequestTag___TagKey_">
+                  aws:RequestTag/${TagKey}
+                 </a>
+                </p>
+                <p>
+                 <a href="#amazoncomprehend-aws_TagKeys">
+                  aws:TagKeys
+                 </a>
+                </p>
+                <p>
+                 <a href="#amazoncomprehend-comprehend_ModelKmsKey">
+                  comprehend:ModelKmsKey
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+              </tr>
               <tr>
                <td>
                 <a id="amazoncomprehend-ListDocumentClassificationJobs">
@@ -1550,6 +1690,45 @@ <h2 id="amazoncomprehend-actions-as-permissions">
                <td>
                </td>
               </tr>
+              <tr>
+               <td rowspan="2">
+                <a id="amazoncomprehend-PutResourcePolicy">
+                </a>
+                <a href="https://docs.aws.amazon.com/comprehend/latest/dg/API_PutResourcePolicy.html">
+                 PutResourcePolicy
+                </a>
+               </td>
+               <td rowspan="2">
+                Grants permission to attach policy to resource
+               </td>
+               <td rowspan="2">
+                Write
+               </td>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-document-classifier">
+                  document-classifier*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
+              <tr>
+               <td>
+                <p>
+                 <a href="#amazoncomprehend-entity-recognizer">
+                  entity-recognizer*
+                 </a>
+                </p>
+               </td>
+               <td>
+               </td>
+               <td>
+               </td>
+              </tr>
               <tr>
                <td rowspan="3">
                 <a id="amazoncomprehend-StartDocumentClassificationJob">
@@ -3180,7 +3359,7 @@ <h2 id="amazoncomprehend-policy-keys">
                 </a>
                </td>
                <td>
-                Filters access to create requests based on the allowed set of values for each of the mandatory tags
+                Filters access by requiring tag values present in a resource creation request
                </td>
                <td>
                 String
@@ -3195,7 +3374,7 @@ <h2 id="amazoncomprehend-policy-keys">
                 </a>
                </td>
                <td>
-                Filters access to actions based on the tag value associated with the resource
+                Filters access by requiring tag value associated with the resource
                </td>
                <td>
                 String
@@ -3210,7 +3389,7 @@ <h2 id="amazoncomprehend-policy-keys">
                 </a>
                </td>
                <td>
-                Filters access to create requests based on the presence of mandatory tags in the request
+                Filters access by requiring the presence of mandatory tags in the request
                </td>
                <td>
                 String
@@ -3388,4 +3567,4 @@ <h2 id="amazoncomprehend-policy-keys">
    </awsdocs-cookie-banner>
   </div>
  </body>
-</html>
+</html>