iamfast
IAM policy generation from application code
Installation
npm i -g iamfast
You can also install iamfast as a Visual Studio Code extension.
Usage
Execute iamfast with the first argument being the file or directory (currently slow, not yet recommended) to be scanned.
iamfast yourfile.js
iamfast supports the following programming languages:
- JavaScript (v2 SDK)
- Python 3 (Boto3 SDK)
- Go (v1 SDK)
- Java (v2 SDK)
Optional Flags
--format <type>: Sets the format of the output, currently supporting json (default), yaml, hcl and sam
Example
> cat tests/js/test1.js
// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');
// Set the region
AWS.config.update({region: 'us-east-1'});
// Create the DynamoDB service object
var ddb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var params = {
TableName: 'CUSTOMER_LIST',
Item: {
'CUSTOMER_ID' : {N: '001'},
'CUSTOMER_NAME' : {S: 'Richard Roe'}
}
};
// Call DynamoDB to add the item to the table
ddb.putItem(params, function(err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
}
});
> iamfast tests/js/test1.js
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "dynamodb:PutItem",
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/CUSTOMER_LIST"
]
}
]
}
Test
To run tests:
npm testDevelopment Progress
File Structure
src/AWSParser.js- Generates token streams and calls walkers for individual languages, also maps resource instantiationssrc/EnvironmentVariable.js- Dedicated class for environment variable typesrc/IAMFast.js- Generates the actual policies / outputs by referencing the action map and callingAWSParser.jsfunctionssrc/main.js- CLI setup and entrypoint for non-module usesrc/lib/<Language>AWSListener.js- Custom listener hooks to track client calls etc. (2nd pass)src/lib/<Language>ScopeListener.js- Custom listener hooks to track variable and function declarations (1st pass)src/lib/<Language>Parser.js- Auto-generated (ANTLR) language parser logicgrammars/<Language>Parser.js- Individual ANTLR language definitions, used to generatelib/<Language>Parser.js
General
- Gather test cases
- Environment variable referencing in SAM output
- Online tool for quick evaluation
- GitHub app
JavaScript
- Lexing & parsing with ANTLR
- Custom tree walker
- Identify standard SDK definitions
- Identify SDK region
- Identify advanced SDK definitions
- Identify client instantiations
- Identify client calls
- Identify client calls with advanced method chaining
- Identify resource instantiations (AWS.S3.ManagedUpload, AWS.DynamoDB.DocumentClient)
- Identify resource calls
- Interpret call arguments (top-level, static)
- Interpret call arguments (top-level, variable)
- Interpret call arguments (deep, static)
- Interpret call arguments (deep, variable)
- Track literal variables
- Track object variables
- Track environmental variables
- Understand scope (build the call stack)
- Cross-file relationships
- Understand entrypoints and code accessibility
- Performance tuning
Python
- Lexing & parsing with ANTLR
- Custom tree walker
- Identify standard SDK definitions
- Identify SDK region
- Identify advanced SDK definitions ("as x" etc.)
- Identify client instantiations
- Identify client calls
- Identify client calls with advanced method chaining
- Identify resource instantiations
- Identify resource calls
- Interpret call arguments (top-level, static)
- Interpret call arguments (top-level, variable)
- Interpret call arguments (deep, static)
- Interpret call arguments (deep, variable)
- Track literal variables
- Track object variables
- Track environmental variables
- Understand scope (build the call stack)
- Cross-file relationships
- Understand entrypoints and code accessibility
- Performance tuning
Go
- Lexing & parsing with ANTLR
- Custom tree walker
- Identify standard SDK definitions
- Identify SDK region
- Identify advanced SDK definitions
- Identify client instantiations
- Identify client calls
- Identify client calls with advanced method chaining
- Interpret call arguments (top-level, static)
- Interpret call arguments (top-level, variable)
- Interpret call arguments (deep, static)
- Interpret call arguments (deep, variable)
- Track literal variables
- Track object variables
- Track environmental variables
- Understand scope (build the call stack)
- Cross-file relationships
- Understand entrypoints and code accessibility
- Performance tuning
Java
- Lexing & parsing with ANTLR
- Custom tree walker
- Identify standard SDK definitions
- Identify SDK region
- Identify advanced SDK definitions
- Identify client instantiations
- Identify client calls
- Identify client calls with advanced method chaining
- Interpret call arguments (top-level, static)
- Interpret call arguments (top-level, variable)
- Interpret call arguments (deep, static)
- Interpret call arguments (deep, variable)
- Track literal variables
- Track object variables
- Track environmental variables
- Understand scope (build the call stack)
- Cross-file relationships
- Understand entrypoints and code accessibility
- Performance tuning
C++
- Lexing & parsing with ANTLR
- Custom tree walker
- Identify standard SDK definitions
- Identify SDK region
- Identify advanced SDK definitions
- Identify client instantiations
- Identify client calls
- Identify client calls with advanced method chaining
- Interpret call arguments (top-level, static)
- Interpret call arguments (top-level, variable)
- Interpret call arguments (deep, static)
- Interpret call arguments (deep, variable)
- Track literal variables
- Track object variables
- Track environmental variables
- Understand scope (build the call stack)
- Cross-file relationships
- Understand entrypoints and code accessibility
- Performance tuning