Merge 0446b87 into 8453062

Netflix-Skunkworks · Jun 2, 2021 · 65fa6f7 · 65fa6f7
2 parents 8453062 + 0446b87
commit 65fa6f7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/policyuniverse/statement.py b/policyuniverse/statement.py
@@ -175,6 +175,7 @@ def _condition_entries(self):
             "aws:principalarn": "arn",
             "aws:sourceowner": "account",
             "aws:sourceaccount": "account",
+            "aws:principalaccount": "account",
             "aws:principalorgid": "org-id",
             "kms:calleraccount": "account",
             "aws:userid": "userid",

diff --git a/policyuniverse/tests/test_statement.py b/policyuniverse/tests/test_statement.py
@@ -354,6 +354,19 @@
     },
 )
 
+# aws:PrincipalAccount in conditions
+statement33 = dict(
+    Effect="Allow",
+    Principal="*",
+    Action=["rds:*"],
+    Resource="*",
+    Condition={
+        "ForAnyValue:StringEquals": {
+            "AWS:PrincipalAccount": ["012345678910", "123456789123"]
+        }
+    },
+)
+
 
 class StatementTestCase(unittest.TestCase):
     def test_statement_effect(self):
@@ -477,6 +490,11 @@ def test_statement_conditions(self):
             set(["arn:aws:iam::012345678910:role/SomePrincipalRole"]),
         )
 
+        statement = Statement(statement33)
+        self.assertEqual(
+            statement.condition_accounts, set(["012345678910", "123456789123"])
+        )
+
     def test_statement_internet_accessible(self):
         self.assertTrue(Statement(statement14).is_internet_accessible())
         self.assertTrue(Statement(statement15).is_internet_accessible())
@@ -525,3 +543,6 @@ def test_statement_internet_accessible(self):
 
         # AWS:PrincipalARN
         self.assertFalse(Statement(statement32).is_internet_accessible())
+
+        # AWS:PrincipalAccount
+        self.assertFalse(Statement(statement33).is_internet_accessible())