fixed check_sensitive_services

env-config/config.py

@@ -112,6 +112,12 @@
 # "NONE", "SUMMARY", or "FULL"
 SECURITYGROUP_INSTANCE_DETAIL = 'FULL'
 
+# To alert on IAM Roles/Users/Groups and Managed Policies with Write capabilities
+# on sensitive services, enumerate the services here:
+# DEFAULT_SENSITIVE = ['cloudhsm', 'cloudtrail', 'acm', 'config', 'kms', 'lambda', 'organizations', 'rds', 'route53', 'shield']
+# Otherwise, SM will alert on all dataplane write access.
+DEFAULT_SENSITIVE = 'ALL'
+
 # Threads used by the scheduler.
 # You will likely need at least one core thread for every account being monitored.
 CORE_THREADS = 25

security_monkey/auditors/iam/iam_policy.py

@@ -96,8 +96,7 @@ def check_mutable_sensitive_services(self, item):
         issue = Categories.SENSITIVE_PERMISSIONS
         notes = Categories.SENSITIVE_PERMISSIONS_NOTES_2
 
-        DEFAULT_SENSITIVE = ['cloudhsm', 'cloudtrail', 'acm', 'config', 'kms', 'lambda', 'organizations', 'rds', 'route53', 'shield']
-        sensitive_services = app.config.get('SENSITIVE_SERVICES', DEFAULT_SENSITIVE)
+        sensitive_services = app.config.get('SENSITIVE_SERVICES', 'ALL')
         if not sensitive_services:
             return
 
@@ -110,6 +109,10 @@ def check_mutable_sensitive_services(self, item):
                 if statement.effect == 'Allow':
                     summary = statement.action_summary()
                     for service, categories in summary.items():
+
+                        if sensitive_services != 'ALL' and service not in sensitive_services:
+                            continue
+
                         if 'DataPlaneMutating' in categories:
                             note = notes.format(
                                 service=service,