in cartography/intel/aws/s3.py [0:0]
def parse_policy(bucket, policy):
"""
Uses PolicyUniverse to parse S3 policies and returns the internet accessibility results
"""
# policy is not required, so may be None
# policy JSON format. Note condition can be any JSON statement so will need to import as-is
# policy is a very complex format, so the policyuniverse library will be used for parsing out important data
# ...metadata...
# "Policy" :
# {
# "Version": "2012-10-17",
# {
# "Statement": [
# {
# "Effect": "Allow",
# "Principal": "*",
# "Action": "s3:GetObject",
# "Resource": "arn:aws:s3:::MyBucket/*"
# },
# {
# "Effect": "Deny",
# "Principal": "*",
# "Action": "s3:GetObject",
# "Resource": "arn:aws:s3:::MyBucket/MySecretFolder/*"
# },
# {
# "Effect": "Allow",
# "Principal": {
# "AWS": "arn:aws:iam::123456789012:root"
# },
# "Action": [
# "s3:DeleteObject",
# "s3:PutObject"
# ],
# "Resource": "arn:aws:s3:::MyBucket/*"
# }
# ]
# }
# }
if policy is not None:
# get just the policy element and convert to JSON because boto3 returns this as string
policy = Policy(json.loads(policy['Policy']))
if policy.is_internet_accessible():
return {
"bucket": bucket,
"internet_accessible": True,
"accessible_actions": list(policy.internet_accessible_actions())
}
else:
return None
else:
return None