iann0036 / iamfast Goto Github PK

View Code? Open in Web Editor NEW

164.0 7.0 9.0 7.92 MB

AWS IAM policy generation from application code

License: GNU General Public License v3.0

JavaScript 86.18% Java 12.85% ANTLR 0.68% Shell 0.03% C++ 0.04% Go 0.06% Python 0.16% Rust 0.01%

aws iam ast iam-policy

iamfast's Introduction

iamfast

🚧 EXPERIMENTAL 🚧

IAM policy generation from application code

Installation

npm i -g iamfast

You can also install iamfast as a Visual Studio Code extension.

Usage

Execute iamfast with the first argument being the file or directory (currently slow, not yet recommended) to be scanned.

iamfast yourfile.js

iamfast supports the following programming languages:

JavaScript (v2 SDK)
Python 3 (Boto3 SDK)
Go (v1 SDK)
Java (v2 SDK)
C/C++ (v1 SDK)
Amazon States Language / Step Functions State Machines (JSON)

Optional Flags

--format <type>: Sets the format of the output, currently supporting json (default), yaml, hcl and sam

Example

> cat tests/js/test1.js
// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');
// Set the region 
AWS.config.update({region: 'us-east-1'});

// Create the DynamoDB service object
var ddb = new AWS.DynamoDB({apiVersion: '2012-08-10'});

var params = {
  TableName: 'CUSTOMER_LIST',
  Item: {
    'CUSTOMER_ID' : {N: '001'},
    'CUSTOMER_NAME' : {S: 'Richard Roe'}
  }
};

// Call DynamoDB to add the item to the table
ddb.putItem(params, function(err, data) {
  if (err) {
    console.log("Error", err);
  } else {
    console.log("Success", data);
  }
});

> iamfast tests/js/test1.js
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/CUSTOMER_LIST"
            ]
        }
    ]
}

Test

To run tests:

npm test

Development Progress

File Structure

src/AWSParser.js - Generates token streams and calls walkers for individual languages, also maps resource instantiations
src/EnvironmentVariable.js - Dedicated class for environment variable type
src/IAMFast.js - Generates the actual policies / outputs by referencing the action map and calling AWSParser.js functions
src/main.js - CLI setup and entrypoint for non-module use
src/lib/<Language>ScopeListener.js - Custom listener hooks to track variable and function declarations (1st pass)
src/lib/<Language>AWSListener.js - Custom listener hooks to track client calls etc. (2nd pass)
src/lib/<Language>Parser.js - Auto-generated (ANTLR) language parser logic
grammars/<Language>Parser.js - Individual ANTLR language definitions, used to generate src/lib/<Language>Parser.js

General

JavaScript

Python

Go

Java

C++

iamfast's People

Contributors

Stargazers

Watchers

Forkers

etolbakov jewelhuq ashcache-computing-support-and-services yoavrez olafconijn avi202020 ccarrylab kjm0001 samtimur

iamfast's Issues

greedy regex sometimes replaces too many parameters in a single resource template

update

rootcause of the problem is that the regex here matches greedy. multiple ${xxxx} ${yyyy} expressions get collapsed into 1.
I believe the regex should be /\$\{.*?\}/g instead of /\$\{.*\}/g

previous issue (not the rootcause) below

currenlty, execute-api:Invoke permissions use arn:aws:execute-api:partition:account:* as resource.
would be great to map the properties of this call into a template:

"ApiEndpoint": "abcdef123.execute-api.us-east-1.amazonaws.com",
"Method": "GET",
"Stage": "prod",
"Path": "/path/to/resource",
```_

would be great to be able to tree shake unused lexers/parsers out of the module

currently iam fast supports a number of languages. when taking a dependency on iamfast it would be great to have the possibility to treeshake languages that are not used out of the package

AWS SDK v3 support for js/ts

would be incredibly cool if AWS SDK V3 calls would be supported.

CloudWatch PutMetric could specify IAM condition cloudwatch:namespace

CloudWatch PutMetric does not support a resource type. what it does support is an IAM condition key called cloudwatch:namespace. the value for this condition key can be copied from the Namespace property

events:PutTargets,PutRule,etc.etc generate invalid IAM when default EventBus is used

when generating IAM policies for some of the eventbus operations and not specifying the EventBus (have it use the default bus) the IAM permission is wrong.

expected: arn:aws:events:us-east-1:123456789012:rule/MyRule
actual: arn:aws:events:us-east-1:123456789012:rule[/*]/MyRule

DynamoDb.TransactWriteItems defaults to "*" resource

when generating an IAM policy for DynamoDb.TransactWriteItems, the permissions (e.g. conditionCheck, putItem, etc) use * as resource. would be great if the TableName of TransactWriteItems was used instead