def load_group_policies()

in cartography/intel/aws/iam.py [0:0]

• 11 lines of code
• 4 McCabe index (conditional complexity)

def load_group_policies(session, group_policies, aws_update_tag):
    ingest_policies_assume_role = """
    MATCH (group:AWSGroup{name: {GroupName}})
    WITH group
    MERGE (role:AWSRole{arn: {RoleArn}})
    ON CREATE SET role.firstseen = timestamp()
    SET role.lastupdated = {aws_update_tag}
    WITH role, group
    MERGE (group)-[r:STS_ASSUMEROLE_ALLOW]->(role)
    ON CREATE SET r.firstseen = timestamp()
    SET r.lastupdated = {aws_update_tag}
    """

    for group_name, policies in group_policies.items():
        for policy_name, policy_data in policies.items():
            for role_arn in _find_roles_assumable_in_policy(policy_data):
                # TODO resource ARNs may contain wildcards, e.g. arn:aws:iam::*:role/admin --
                # TODO policyuniverse can't expand resource wildcards so further thought is needed here
                session.run(
                    ingest_policies_assume_role,
                    GroupName=group_name,
                    RoleArn=role_arn,
                    aws_update_tag=aws_update_tag
                )