Wonk is a tool for combining a set of AWS policy files into smaller compiled policy sets.

Overview

The Policy Wonk

Wonk is a tool for combining a set of AWS policy files into smaller compiled policy sets.

Table of Contents

Rationale

Wonk can help you in several situations.

Policies are limited resources

You want to give the people in your organization the AWS permissions needed to do their job. Amazon has helpfully created several hundred policies like AmazonRDSReadOnlyAccess and AmazonS3FullAccess that you can assign to users, groups, or roles. This is super convenient... up until it's not.

AWS has IAM quotas like:

  • Policies may not be more than 6,144 characters long.
  • You can't attach more than 10 groups or roles to a user.
  • You can't attach more than 10 policies to a single group, role, or user.
  • If you're logging into AWS with SSO, each user like gets exactly 1 role assigned to them.

What if your backend engineers log in with Okta and they need 11 policies to do their job?

Wonk to the rescue! You can combine them into one big policy with a command line like:

$ wonk combine -p MyPolicy AWSPolicy1.json AWSPolicy2.json

which reads the contents of AWSPolicy1.json and AWSPolicy2.json and merges them into a MyPolicy.json file.

Your roles share a lot of common permissions

Perhaps you have one role for backend engineers, and another role for backend engineers who are on call this week and need some additional permissions. You really don't want to maintain two policies that are nearly identical, though.

In this case, you could put all of the standard permissions in one policy, all of the additional on-call permissions in another, then combine them:

$ wonk combine -p BackendOnCall Backend.json OnCall.json

Things got really complicated when you weren't looking

Beyond just combining a file or 2 as needed, you want some help managing multiple roles with lots of policies. Say you're setting up policies for both frontend and backend engineers and each of them have special on-call roles that share some extra debugging permissions. Each role uses a combination of some AWS-managed policies with some that you've written yourself.

Wonk loves you and wants you to be happy.

First, it assumes a directory layout like this:

├── wonk.yaml
├── managed
│   ├── AWSPolicy1.json
│   └── AWSPolicy2.json
├── local
│   ├── BackendECSReadOnly.json
│   ├── FrontendCloudWatchReadOnly.json
│   └── OnCall.json
└── combined
    ├── Backend_1.json
    ├── Frontend_1.json
    ├── BackendOnCall_1.json
    └── FrontendOnCall_1.json

where the managed directory is full of policy files that you've downloaded from AWS (maybe using the wonk fetch command), the local directory has policies you've written yourself, and combined has the output files that Wonk creates for you.

You could write a bunch of wonk combine command lines, maybe in a shell script or a Makefile. Alternatively, you could write a wonk.yaml file like this:

policy_sets:
  Backend:
    managed:
      - AWSPolicy1
      - arn:path:to:your:policy/AWSPolicy2
    local:
      - BackendECSReadOnly

  BackendOnCall:
    inherits:
      - Backend
    local:
      - OnCall

  Frontend:
    managed:
      - AWSPolicy3
    local:
      - FrontendCloudWatchReadOnly

  FrontendOnCall:
    inherits:
      - Frontend
    local:
      - OnCall

and then tell Wonk to build them all for you:

$ wonk build --all

which fetches any missing managed policies, then creates a set of combined policies named after their YAML configurations.

A managed policy Foo is fetched by the ARN arn:aws:iam::aws:policy/Foo. However, some Amazon policies don't follow that convention. In that case, you can give an ARN instead of a policy name and that ARN will be fetched instead (and the policy's name will be derived from the ARN). You could also do that if you want to fetch your own policy from Amazon instead of maintaining it locally.

Installation

pip install wonk

Alternatively: clone this repo and run poetry install.

Usage

Fetching policies

Use wonk fetch to retrieve a policy from AWS by name or by ARN and write it to stdout. Each of these commands emit the same output:

$ wonk fetch --arn "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
$ wonk fetch --name AWSLambdaFullAccess
$ wonk fetch --profile my_aws_profile_name --name AWSLambdaFullAccess

Combining policies

Use wonk combine to combine multiple policies into a policy set:

$ wonk combine -p Foo policy1.json policy2.json

Building configured policy statements

The wonk build command interprets a wonk.yaml file as described in the example above and builds the requested policy set(s).

To build one named policy set:

$ wonk build --policy-set BackendOnCall

To build all defined policy sets:

$ wonk build --all

The details

Sounds simple, right? Well, not quite. Remember, IAM quotas limit managed policies to 6,144 characters. You can put a few more characters on an inline policy directly on a role, but that's not best practice and you don't really want to go down that path. Instead, Wonk uses a few tricks to try to make policies fit inside their size limit:

  • It strips all Sid keys from statements, per Amazon's recommendations.
  • It discard duplicate actions.
  • It removes all "shadowed" actions. For instance, if a statement has actions Foo:SomeAction and Foo:*, it discards Foo:SomeAction because Foo:* already has it covered. Similarly, Foo:Get* will shadow Foo:GetSomething, so Foo:GetSomething will be removed.
  • Wonk tries to make the generated policies as human-readable as possible, but will format them very tersely if necessary. You can always use jq to reformat its outputs for viewing.

Note: actions are always grouped by similar principals, resources, conditions, etc. If two statements have different conditions, say, they are processed separately.

Breaking up is hard to do

Wonk does whatever it can to make a policy fit within that magic 6,144 character limit, but somethings that just can't be done. If you try to combine 30 different non-overlapping policies, there's a decent chance that the end result simply can't be shrunk enough. A careful reader might have noticed that all of the command examples specify an output "base" instead of a specific filename, and an output Foo ends up creating a file named Foo.json. This is because in the case that Wonk can't pack everything into a separate file, it creates a set of as few output policies as possible to include all of the actions. The general process is this:

  • Try to make everything fit.
  • If there are any statements with so many actions that they can't be shrunk into the size limit, split them up into equal-size chunks that do fit.
  • Now we have the case of fitting M statements into N policies, of which there can't be more than 10 because of the AWS limits. That looks a lot like the knapsack problem, and indeed it is. Wonk uses Google's SCIP constraint solver to pack all of the statements into as few policies as possible.
  • If none of this is sufficient, Wonk raises an exception and quits.

Policy sets

The end result of many Wonk operations is a collection of files, a policy set, named _1.json through _N.json where N <= 10. This is different from most utilities which operate on individual files, but Wonk can't know how many files it will be creating in advance.

Why 10? Because AWS usually won't allow you to attach more than 10 policies to a user, group, or role. Since policy sets work together like one giant policy and can't be split up, Wonk won't create a policy set that can't actually be attached to anything. If you're bumping up against this limit, consider creating 2 policy sets and applying them to 2 distinct but groups (like Backend_1 and Backend_2), then putting each relevant user into both groups. Alternatively, if your policies cover 99 actions like Service:OnePermission and Service:Another on a service that only has 100 possible actions, and you've done your due diligence and don't mind giving your users access to that 100th action, consider adding a Service:* action to a local policy. That will replace all those individual actions with the single wildcard. Likewise, if you mean to give your users access to all of the various Service:GetThis and Service:GetThat actions, you can cover them all at once with Service:Get*. This also has the nice side effect of documenting that you actually intend to allow access to all of the Get* actions.

Terraforming combined policies

Reasonably recent modern versions of Terraform support fileset and for_each syntax. You can define a single policy resource that exactly expands out to a whole set of policies, then attach them all at once to a group or role:

resource "aws_iam_policy" "Frontend" {
  for_each    = fileset(path.module, "combined/Frontend_*.json")
  name        = split(".", basename(each.value))[0]
  description = "Frontend users need to do stuff"
  policy      = file(each.value)
}

resource "aws_iam_group_policy_attachment" "Frontenders__Frontend" {
  for_each   = aws_iam_policy.Frontend
  group      = data.aws_iam_group.frontenders.group_name
  policy_arn = each.value.arn
}

Limitations

As of this writing, Wonk is usable but not finished. It's missing a few nice features:

  • Wonk doesn't consider action shadowing when one statement has restrictions but another doesn't. For example, given two statement blocks:
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "Foo:Something",
            "Resource": "arn:aws:service::my_resource"
        },
        {
            "Effect": "Allow",
            "Action": "Foo:Something"
        }
    ]
}

the second statement is broader than the first, so the first could be safely removed. Right now it isn't.

Copyright

The Policy Wonk is copyright 2021 Amino, Inc. and distributed under the terms of the Apache-2.0 License.

Owner
Amino, Inc
Amino open-source projects
Amino, Inc
A gui application used for network reconnaissance while pentesting

netrecon A gui application used for network reconnaissance while pentesting

Krisna Pranav 4 Sep 03, 2022
log4j2 passive burp rce scanning tool get post cookie full parameter recognition

log4j2_burp_scan 自用脚本log4j2 被动 burp rce扫描工具 get post cookie 全参数识别,在ceye.io api速率限制下,最大线程扫描每一个参数,记录过滤已检测地址,重复地址 token替换为你自己的http://ceye.io/ token 和域名地址

5 Dec 10, 2021
Dependency injection in python with autoconfiguration

The base is a DynamicContainer to autoconfigure services using the decorators @services for regular services and @command_handler for using command pattern.

Sergio Gómez 2 Jan 17, 2022
Find existing email addresses by nickname using API/SMTP checking methods without user notification. Please, don't hesitate to improve cat's job! 🐱🔎 📬

mailcat The only cat who can find existing email addresses by nickname. Usage First install requirements: pip3 install -r requirements.txt Then just

282 Dec 30, 2022
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

Pushpender Singh 9 Dec 12, 2022
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021
A simple Log4Shell Scan with python

🐞 Log4Scan 🔧 Log4Shell 简单的主动和被动扫描脚本 Log4scan 针对header头和fuzz参数的主动批量扫描,用于大批量黑盒检测

nul1 6 Aug 04, 2022
Auto Tor Ip Changer

AutoTor Auto Tor Ip Changer for Linux! git clone https://github.com/Arest7/AutoTor cd AutoTor pip install -r requirements.txt python3 AutoTor.py follo

Ken Ryuguji 3 Jan 23, 2022
The Devils Eye is an OSINT tool that searches the Darkweb for onion links and descriptions that match with the users query without requiring the use for Tor.

The Devil's Eye searches the darkweb for information relating to the user's query and returns the results including .onion links and their description

Richard Mwewa 135 Dec 31, 2022
Sample exploits for Zephyr CVE-2021-3625

CVE-2021-3625 This repository contains a few example exploits for CVE-2021-3625. All Zephyr-based usb devices up to (and including) version 2.5.0 suff

7 Nov 10, 2022
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
Monty Hall Problem simulation written in Python.

Monty Hall Problem Simulation monty_hall_sim is a brute-force method of determining the optimal strategy for the Monty Hall Problem. Usage Set boolean

Xavier D 1 Aug 29, 2022
Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

dns-mf-hazard Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions How to use it? Installation You need python

Marek Wajdzik 2 Jan 01, 2022
compact and speedy hash cracker for md5, sha1, and sha256 hashes

hash-cracker hash cracker is a multi-functional and compact...hash cracking tool...that supports dictionary attacks against three kinds of hashes: md5

Abdullah Ansari 3 Feb 22, 2022
2022-bridge - Example code belonging to the Bridge pattern video

Let's Take The Bridge Pattern To The Next Level This video covers how the bridge

11 Jun 14, 2022
This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks.

This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks. The goal is to successfully use this notebook project below with Security Onion for beacon detection

4 Jun 08, 2022
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Oliver Lyak 250 Dec 31, 2022
Get related domains / subdomains by looking at Google Analytics IDs

DomainRelationShips ██╗ ██╗ █████╗ ██╗██████╗ ██║ ██║██╔══██╗ ██║██╔══██╗ ██║ ██║█████

Josué Encinar 161 Jan 02, 2023
this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows and macos

Keylogger this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows a

Titan_Exodous 1 Nov 04, 2021
A Modified version of TCC's Osprey poc framework......

fierce-fish fierce-fish是由TCC(斗象能力中心)出品并维护的开源漏洞检测框架osprey的改写,去掉臃肿功能的精简版本poc框架 PS:真的用不惯其它臃肿的功能,不过作为一个收集漏洞poc && exp的框架还是非常不错的!!! osprey For beginners fr

lUc1f3r11 10 Dec 30, 2022