Releases: duo-labs/parliament
0.4.12
0.4.11
- Updates the IAM data. Thanks @kmcquade for figuring out the new AWS doc format!
- Adds tests for that IAM data to try to avoid a doc change causing us to use bad data
- Wraps the community auditor running in a try/except to avoid exceptions in that code crashing parliament. Resolves #97
- Adds new finding type
MISMATCHED_TYPE_BUT_USABLEwith severity Low that is similar to theMISMATCHED_TYPEfinding, but specific to when you use a string comparison against ARNs, since that will work, but is not ideal. Resolves #29 - Add new finding type
RESOURCE_STAR, which I expect is going to be very noisy for a lot of people, as it will be generated whenever someone uses a Resource of*when the action supports better defined resources. Resolves #72
0.4.10
Uses Github Actions to deploy Pypi library
0.4.9
- Removes the requirement to bring in policy_sentry for the community auditors that was make this library much heavier than it needed to be (see #86)
- Adds the community override file, which was a bug found and fixed by @xen0l in #91
- Adds verbose flag by @xen0l in #87
- Adds directory command-line option and some filtering options, again by @xen0l in #87
- Updates the iam definition
0.4.8
Support for aws:CalledVia, aws:CalledViaFirst, and aws:CalledViaLast
0.4.7
The big feature of this release it adds community auditors from @kmcquade . These currently are:
- Credentials exposure - Policy grants access to API calls that can return credentials to the user
- Permissions management actions - Allows the principal to modify IAM, RAM, identity-based policies, or resource based policies.
- Privilege escalation - Actions contain a combination of Privilege Escalation actions established by Rhino Security Labs
These are off by default for now, but can be enabled with --include-community-auditors
This fixes a bug when checking the results of get-account-authorization-details (thanks to @kmcquade again!)
This also adds a function get_allowed_actions which returns a list like ['s3:putobject'] for every action allowed. This likely will hurt performance when a * policy is involved. This function is currently used by the community auditors and is one of the reasons I don't have those on by default yet.
0.4.6
Updates the is_glob_function to account for some special cases. Code from Paul McGuire again in #36 (comment)
0.4.4
- Adds
is_glob_matchfunction from Paul McGuire from his comment here #36 (comment) This massively cleans up the mess thatis_arn_matchhad become. - Fixes a unit test that was including a check for a private auditor, and avoids testing against private auditors for the other tests.
- Updates the privilege data.
- Fixes the script that collects the privilege data so it can actually be run.
0.4.3
0.4.2
The big change this release was improving the logic for identifying which actions were allowed. Previously, if you had the following, it would not identify s3:GetObject as being allowed, because it saw an Allow and a Deny and did not take into consideration the Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*"
},
{
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Now the logic identifies s3:GetObject as being allowed, because it only counts a Deny against the Allow if the Deny has no Condition. This should better handle possible tricks someone might do to get around a custom auditor someone might write (for example, the sensitive bucket auditor in the docs would have been tricked by this previously).
The unit tests should also be more robust, and a bug was fixed with how Bool's are checked to ensure they are being matched against true and false values.