IAM Least Privilege Policy Generator.
For walkthroughs and full documentation, please visit the project on ReadTheDocs.
See the Salesforce Engineering Blog post on Policy Sentry.
Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Many Infrastructure as Code developers have experienced something like this:
Such a process is not ideal for security or for Infrastructure as Code developers. We need to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies. That's why I made this tool.
Policy Sentry allows users to create least-privilege IAM policies in a matter of seconds, rather than tediously writing IAM policies by hand. These policies are scoped down according to access levels and resources. In the case of a breach, this helps to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.
Before this tool, it could take hours to craft an IAM Policy with resource ARN constraints — but now it can take a matter of seconds. This way, developers only have to determine the resources that they need to access, and Policy Sentry abstracts the complexity of IAM policies away from their development processes.
Policy Sentry's flagship feature is that it can create IAM policies based on resource ARNs and access levels. Our CRUD functionality takes the opinionated approach that IAC developers shouldn't have to understand the complexities of AWS IAM - we should abstract the complexity for them. In fact, developers should just be able to say...
arn:aws:s3:::example-org-sbx-vmimport
"arn:aws:secretsmanager:us-east-1:123456789012㊙mysecret
"arn:aws:ssm:us-east-1:123456789012:parameter/test
"...and our automation should create policies that correspond to those access levels.
How do we accomplish this? Well, Policy Sentry leverages the AWS documentation on Actions, Resources, and Condition Keys documentation to look up the actions, access levels, and resource types, and generates policies according to the ARNs and access levels. Consider the table snippet below:
Actions | Access Level | Resource Types |
---|---|---|
ssm:GetParameter | Read | parameter |
ssm:DescribeParameters | List | parameter |
ssm:PutParameter | Write | parameter |
secretsmanager:PutResourcePolicy | Permissions management | secret |
secretsmanager:TagResource | Tagging | secret |
Policy Sentry aggregates all of that documentation into a single database and uses that database to generate policies according to actions, resources, and access levels.
brew tap salesforce/policy_sentry https://github.com/salesforce/policy_sentry
brew install policy_sentry
pip3 install --user policy_sentry
To enable Bash completion, put this in your .bashrc
:
eval "$(_POLICY_SENTRY_COMPLETE=source policy_sentry)"
To enable ZSH completion, put this in your .zshrc
:
eval "$(_POLICY_SENTRY_COMPLETE=source_zsh policy_sentry)"
policy_sentry create-template --output-file crud.yml --template-type crud
mode: crud
name: ''
# Specify resource ARNs
read:
- ''
write:
- ''
list:
- ''
tagging:
- ''
permissions-management:
- ''
# Actions that do not support resource constraints
wildcard-only:
single-actions: # standalone actions
- ''
# Service-wide - like 's3' or 'ec2'
service-read:
- ''
service-write:
- ''
service-list:
- ''
service-tagging:
- ''
service-permissions-management:
- ''
# Skip resource constraint requirements by listing actions here.
skip-resource-constraints:
- ''
# Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete*
exclude-actions:
- ''
mode: crud
read:
- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'
write:
- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'
list:
- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'
tagging:
- 'arn:aws:secretsmanager:us-east-1:123456789012㊙mysecret'
permissions-management:
- 'arn:aws:secretsmanager:us-east-1:123456789012㊙mysecret'
policy_sentry write-policy --input-file crud.yml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SsmReadParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:ListTagsForResource"
],
"Resource": [
"arn:aws:ssm:us-east-1:123456789012:parameter/myparameter"
]
},
{
"Sid": "SsmWriteParameter",
"Effect": "Allow",
"Action": [
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:LabelParameterVersion",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:us-east-1:123456789012:parameter/myparameter"
]
},
{
"Sid": "SecretsmanagerPermissionsmanagementSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:PutResourcePolicy"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012㊙mysecret"
]
},
{
"Sid": "SecretsmanagerTaggingSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789012㊙mysecret"
]
}
]
}
Notice how the policy above recognizes the ARNs that the user supplies, along with the requested access level. For instance, the SID SecretsmanagerTaggingSecret
contains Tagging actions that are assigned to the secret resource type only.
This rapidly speeds up the time to develop IAM policies, and ensures that all policies created limit access to exactly what your role needs access to. This way, developers only have to determine the resources that they need to access, and we abstract the complexity of IAM policies away from their development processes.
# Create templates first!!! This way you can just paste the values you need rather than remembering the YAML format
# CRUD mode
policy_sentry create-template --output-file tmp.yml --template-type crud
# Actions mode
policy_sentry create-template --output-file tmp.yml --template-type actions
# Write policy based on resource-specific access levels
policy_sentry write-policy --input-file examples/yml/crud.yml
# Write policy based on a list of actions
policy_sentry write-policy --input-file examples/yml/actions.yml
###############
# Actions Table
###############
# NOTE: Use --fmt yaml or --fmt json to change the output format. Defaults to json for querying
# Get a list of actions that do not support resource constraints
policy_sentry query action-table --service s3 --resource-type "*" --fmt yaml
# Get a list of actions at the "Write" level in S3 that do not support resource constraints
policy_sentry query action-table --service s3 --access-level write --resource-type "*" --fmt yaml
# Get a list of all IAM actions across ALL services that have "Permissions management" access
policy_sentry query action-table --service all --access-level permissions-management
# Get a list of all IAM Actions available to the RAM service
policy_sentry query action-table --service ram
# Get details about the `ram:TagResource` IAM Action
policy_sentry query action-table --service ram --name tagresource
# Get a list of all IAM actions under the RAM service that have the Permissions management access level.
policy_sentry query action-table --service ram --access-level permissions-management
# Get a list of all IAM actions under the SES service that support the `ses:FeedbackAddress` condition key.
policy_sentry query action-table --service ses --condition ses:FeedbackAddress
###########
# ARN Table
###########
# Get a list of all RAW ARN formats available through the SSM service.
policy_sentry query arn-table --service ssm
# Get the raw ARN format for the `cloud9` ARN with the short name `environment`
policy_sentry query arn-table --service cloud9 --name environment
# Get key/value pairs of all RAW ARN formats plus their short names
policy_sentry query arn-table --service cloud9 --list-arn-types
######################
# Condition Keys Table
######################
# Get a list of all condition keys available to the Cloud9 service
policy_sentry query condition-table --service cloud9
# Get details on the condition key titled `cloud9:Permissions`
policy_sentry query condition-table --service cloud9 --name cloud9:Permissions
# Initialize the policy_sentry config folder and create the IAM database tables.
policy_sentry initialize
# Fetch the most recent version of the AWS documentation so you can experiment with new services.
policy_sentry initialize --fetch
# Override the Access Levels by specifying your own Access Levels (example:, correcting Permissions management levels)
policy_sentry initialize --access-level-overrides-file ~/.policy_sentry/overrides-resource-policies.yml
policy_sentry initialize --access-level-overrides-file ~/.policy_sentry/access-level-overrides.yml
create-template
: Creates the YML file templates for use in the write-policy
command types.
write-policy
: Leverage a YAML file to write policies for you
query
: Query the IAM database tables. This can help when filling out the Policy Sentry templates, or just querying the database for quick knowledge.
action-table
)arn-table
)condition-table
)initialize
: (Optional). Create a SQLite database that contains all of the services available through the Actions, Resources, and Condition Keys documentation. See the documentation.
If you are developing your own Python code and you want to import Policy Sentry as a third party package, you can skip the initialization and leverage the local database file that is bundled with the Python package itself.
This is especially useful for developers who wish to leverage Policy Sentry’s capabilities that require the use of the IAM database (such as querying the IAM database table). This way, you don’t have to initialize the database and can just query it immediately.
The code example is located here. It is also shown below.
from policy_sentry.querying.actions import get_actions_for_service
def example():
actions = get_actions_for_service('cloud9') # Then you can leverage any method that requires access to the database.
for action in actions:
print(action)
if __name__ == '__main__':
example()
The results will look like:
cloud9:CreateEnvironmentEC2
cloud9:CreateEnvironmentMembership
cloud9:DeleteEnvironment
cloud9:DeleteEnvironmentMembership
cloud9:DescribeEnvironmentMemberships
cloud9:DescribeEnvironmentStatus
cloud9:DescribeEnvironments
cloud9:GetUserSettings
cloud9:ListEnvironments
cloud9:ListTagsForResource
cloud9:TagResource
cloud9:UntagResource
cloud9:UpdateEnvironment
cloud9:UpdateEnvironmentMembership
cloud9:UpdateUserSettings
If you prefer using Docker instead of installing the script with Python, we support that as well. From the root of the repository, use this to build the docker image:
docker build -t kmcquade/policy_sentry .
Use this to run some basic commands:
# Basic commands with no arguments
docker run -i --rm kmcquade/policy_sentry:latest "--help"
docker run -i --rm kmcquade/policy_sentry:latest "query"
# Query the database
docker run -i --rm kmcquade/policy_sentry:latest "query action-table --service all --access-level permissions-management"
The write-policy
command also supports passing in the YML config via STDIN. If you are using the docker method, try it out here:
# Write policies by passing in the config via STDIN
cat examples/yml/crud.yml | docker run -i --rm kmcquade/policy_sentry:latest "write-policy"
cat examples/yml/actions.yml | docker run -i --rm kmcquade/policy_sentry:latest "write-policy"
The Terraform module is published and maintained here.
Hadoop 权限 Sentry Hive beeline连接Hive beeline> !connect jdbc:hive2://datanode03:10000/default scan complete in 1ms Connecting to jdbc:hive2://datanode03:10000/default Enter username for jdbc:hive2://da
文中的--kubeconfig ~/.kube/sentry,是指k8s的配置,添加配置后,可以访问指定k8s,如不需要,自行去除。 1.安装helm 2.设置镜像 helm repo add stable http://mirror.azure.cn/kubernetes/charts helm repo add incubator http://mirror.azure.cn/kubernet
参考:https://www.phpmianshi.com/?id=182 1、SENTRY数据软清理 (清理完不会释放磁盘,如果很长时间没有运行,清理时间会很长) #登录worker容器 docker exec -it sentry_onpremise_worker_1 /bin/bash #保留多少天的数据,cleanup使用delete命令删除postgresql数据,但对于delete,
1.准备sentry.yaml --- # Source: sentry/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: ak-sentry labels: app: ak-sentry chart: "sentry-4.3.3" release: "
搜了一下,目前写部署的帖子很多,但是没找到比较完善的迁移的帖子,记一下自己的方法吧。 思路 因为现在基本都是使用docker部署,所以常规思路大概是docker容器的迁移,但是现在sentry的各种组件和依赖有很多个容器,docker 逐个迁移跑起来的可能性不大,而使用sentry自身导出命令估计会丢失一些数据(没验证,但是sentry10+使用clickhouse存储event,大量数据主要在这