0.4.13

Improved performance from PR #110 by @yoava333 magically makes Parliament run up to 100x faster!

Updated privilege info in #113.

0.4.12

AWS changed their doc format which broke the web scraper, so @kmcquade fixed it via #108. Then I ran it to collect the latest privilege info.

0.4.11

• Updates the IAM data. Thanks @kmcquade for figuring out the new AWS doc format!
• Adds tests for that IAM data to try to avoid a doc change causing us to use bad data
• Wraps the community auditor running in a try/except to avoid exceptions in that code crashing parliament. Resolves #97
• Adds new finding type MISMATCHED_TYPE_BUT_USABLE with severity Low that is similar to the MISMATCHED_TYPE finding, but specific to when you use a string comparison against ARNs, since that will work, but is not ideal. Resolves #29
• Add new finding type RESOURCE_STAR, which I expect is going to be very noisy for a lot of people, as it will be generated whenever someone uses a Resource of * when the action supports better defined resources. Resolves #72

0.4.10

Uses Github Actions to deploy Pypi library

0.4.9

• Removes the requirement to bring in policy_sentry for the community auditors that was make this library much heavier than it needed to be (see #86)
• Adds the community override file, which was a bug found and fixed by @xen0l in #91
• Adds verbose flag by @xen0l in #87
• Adds directory command-line option and some filtering options, again by @xen0l in #87
• Updates the iam definition

0.4.8

Support for aws:CalledVia, aws:CalledViaFirst, and aws:CalledViaLast

0.4.7

The big feature of this release it adds community auditors from @kmcquade . These currently are:

• Credentials exposure - Policy grants access to API calls that can return credentials to the user
• Permissions management actions - Allows the principal to modify IAM, RAM, identity-based policies, or resource based policies.
• Privilege escalation - Actions contain a combination of Privilege Escalation actions established by Rhino Security Labs

These are off by default for now, but can be enabled with --include-community-auditors

This fixes a bug when checking the results of get-account-authorization-details (thanks to @kmcquade again!)

This also adds a function get_allowed_actions which returns a list like ['s3:putobject'] for every action allowed. This likely will hurt performance when a * policy is involved. This function is currently used by the community auditors and is one of the reasons I don't have those on by default yet.

0.4.6

Updates the is_glob_function to account for some special cases. Code from Paul McGuire again in #36 (comment)

0.4.4

• Adds is_glob_match function from Paul McGuire from his comment here #36 (comment) This massively cleans up the mess that is_arn_match had become.
• Fixes a unit test that was including a check for a private auditor, and avoids testing against private auditors for the other tests.
• Updates the privilege data.
• Fixes the script that collects the privilege data so it can actually be run.

0.4.3

Minor fix (#49) to improve identification of privileges being granted.