iam¶

List of AWS Managed Policy

AWS provides a lot of pre-baked, commonly used AWS Managed IAM Policy to use without writing your delicate IAM Policy. However, looking up the exact ARN of those policy is very annoying. this helper allows you to auto complete the AWS Managed Policy ARN.

Example:

import ctf

ctf.helpers.iam.AwsManagedPolicy.AmazonEC2FullAccess # auto complete here

List of AWS Service principal:

IAM role requires to define the trusted entity. It is something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "{service_name}.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

However, it is painful to find the valid value for certain AWS Service. cottonformation aim to enum those value so developer can easily use it supported by auto-complete.

Example:

import ctf

ctf.helpers.iam.AssumeRolePolicyBuilder(
    ctf.helpers.iam.ServicePrincipal.awslambda() # auto complete here
).build()

There are three source you can use to get list of AWS Service principal

A community maintained github gist: https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
The aws cli github repository: https://github.com/aws/aws-cli/tree/develop/awscli/examples
The botocore data set: https://raw.githubusercontent.com/boto/botocore/develop/botocore/data/endpoints.json

Confirmed by AWS, even AWS engineer doesn’t know the full list. There’s no such things Personally I prefer to use the botocore data set because it is maintained by AWS.

class cottonformation.core.helpers.iam.AwsManagedPolicy[source]¶

Helper class to visit the valid AWS Managed IAM Policy ARN.

You can view the full list of aws managed policy in the console here https://console.aws.amazon.com/iam/home?region=us-east-1#/policies

or use aws cli aws iam list-policies --scope AWS --max-items 1000 to find policy name and ARN value in the response

class cottonformation.core.helpers.iam.ServicePrincipal(service_principal: str)[source]¶

Policy document looks like this:

{
    "Effect": "Allow",
    "Principal": {
        "Service": "{service_name}.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
}

class cottonformation.core.helpers.iam.AccountPrincipal(account_id: str, external_id: Optional[str] = None, mfa_auth: bool = False)[source]¶

Policy document looks like this:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::110330507156:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
        "StringEquals": {
            "sts:ExternalId": "your-external-id"
        },
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        }
    }
}

class cottonformation.core.helpers.iam.WebIdentityPrincipal[source]¶

TODO

Policy document looks like this:

{
    "Effect": "Allow",
    "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringEquals": {
            "cognito-identity.amazonaws.com:key1": "value2",
            "cognito-identity.amazonaws.com:key2": "value2"
        }
    }
}

class cottonformation.core.helpers.iam.SamlPrincipal[source]¶: TODO

class cottonformation.core.helpers.iam.AssumeRolePolicyBuilder(*args: Union[cottonformation.core.helpers.iam._AwsPrincipal, str])[source]¶: Helper class to build IAM trusted entity / assume role policy.