iam¶
List of AWS Managed Policy
AWS provides a lot of pre-baked, commonly used AWS Managed IAM Policy to use without writing your delicate IAM Policy. However, looking up the exact ARN of those policy is very annoying. this helper allows you to auto complete the AWS Managed Policy ARN.
Example:
import ctf
ctf.helpers.iam.AwsManagedPolicy.AmazonEC2FullAccess # auto complete here
List of AWS Service principal:
IAM role requires to define the trusted entity. It is something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "{service_name}.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
However, it is painful to find the valid value for certain AWS Service.
cottonformation
aim to enum those value so developer can easily use it
supported by auto-complete.
Example:
import ctf
ctf.helpers.iam.AssumeRolePolicyBuilder(
ctf.helpers.iam.ServicePrincipal.awslambda() # auto complete here
).build()
There are three source you can use to get list of AWS Service principal
A community maintained github gist: https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
The aws cli github repository: https://github.com/aws/aws-cli/tree/develop/awscli/examples
The botocore data set: https://raw.githubusercontent.com/boto/botocore/develop/botocore/data/endpoints.json
Confirmed by AWS, even AWS engineer doesn’t know the full list. There’s no such things Personally I prefer to use the botocore data set because it is maintained by AWS.
- class cottonformation.core.helpers.iam.AwsManagedPolicy[source]¶
Helper class to visit the valid AWS Managed IAM Policy ARN.
You can view the full list of aws managed policy in the console here https://console.aws.amazon.com/iam/home?region=us-east-1#/policies
or use aws cli
aws iam list-policies --scope AWS --max-items 1000
to find policy name and ARN value in the response
- class cottonformation.core.helpers.iam.ServicePrincipal(service_principal: str)[source]¶
Policy document looks like this:
{ "Effect": "Allow", "Principal": { "Service": "{service_name}.amazonaws.com" }, "Action": "sts:AssumeRole" }
- class cottonformation.core.helpers.iam.AccountPrincipal(account_id: str, external_id: Optional[str] = None, mfa_auth: bool = False)[source]¶
Policy document looks like this:
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::110330507156:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "your-external-id" }, "Bool": { "aws:MultiFactorAuthPresent": "true" } } }
- class cottonformation.core.helpers.iam.WebIdentityPrincipal[source]¶
TODO
Policy document looks like this:
{ "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:key1": "value2", "cognito-identity.amazonaws.com:key2": "value2" } } }