Use policyuniverse #2
Comments
|
policyuniverse is largely focused on resource policies, such as those attached to an S3 bucket or ElasticSearch cluster, and not IAM policies for actors. However, I filed Netflix-Skunkworks/policyuniverse#8 in order to start things moving so that library can be used here. |
|
Assuming you're aware of this: https://awspolicygen.s3.amazonaws.com/js/policies.js I think that's where policyuniverse sources the IAM info. |
|
@bobrich Thanks, I just wrote up some notes on IAM vs APIs vs CloudTrail yesterday actually where I noted that data source: https://summitroute.com/blog/2018/06/28/aws_iam_vs_api_vs_cloudtrail/ My existing approach in CloudTracker is very unclean and misses a lot of the points I note in that blog. I need to revisit how I've approached a lot of the things with CloudTracker to account for all of that. |
Use https://github.com/netflix-skunkworks/policyuniverse instead of https://github.com/duo-labs/cloudtracker/blob/master/cloudtracker/__init__.py#L80 and
aws_api_list.txt. This would also supportNotAction(cloudtracker/cloudtracker/__init__.py
Line 69 in 33852a6
--ignore-benignflag to more accurately identify benign actions beyondList*andDescribe*.Need to push changes to that project to support some of CloudTracker's needs.
The text was updated successfully, but these errors were encountered: