Merge pull request #95 from cloudgraphdev/fix/CG-1262

fix(iamRole): relate iamPermissionsBoundary policy, include inlinePolicies JSON objects

Author: tyler-dunkel

src/services/iamPolicy/schema.graphql

@@ -8,6 +8,7 @@ type awsIamPolicy implements awsBaseService @key(fields: "id") {
   iamRoles: [awsIamRole] @hasInverse(field: iamAttachedPolicies)
   iamGroups: [awsIamGroup] @hasInverse(field: iamAttachedPolicies)
   iamUsers: [awsIamUser] @hasInverse(field: iamAttachedPolicies)
+  permissionBoundaryOf: [awsIamRole] @hasInverse(field: iamPermissionBoundaryPolicy)
 }
 
 type awsIamJSONPolicy

src/services/iamRole/connections.ts

@@ -34,14 +34,35 @@ export default ({
   region: string
 }): { [key: string]: ServiceConnection[] } => {
   const connections: ServiceConnection[] = []
-  const { Arn: id, ManagedPolicies: managedPolicies } = role
+  const {
+    Arn: id,
+    ManagedPolicies: managedPolicies,
+    PermissionsBoundaryArn,
+  } = role
 
   const policies: RawAwsIamPolicy[] =
     flatMap(
       data.find(({ name: serviceName }) => serviceName === services.iamPolicy)
         ?.data
     ) || []
 
+  /** Find Permission Boundary Policy
+   *  related to this IAM Role
+   */
+
+  const permissionBoundaryPolicy = policies.find(
+    ({ Arn: arn }: RawAwsIamPolicy) => PermissionsBoundaryArn === arn
+  )
+
+  if (permissionBoundaryPolicy) {
+    connections.push({
+      id: PermissionsBoundaryArn,
+      resourceType: services.iamPolicy,
+      relation: 'child',
+      field: 'iamPermissionBoundaryPolicy',
+    })
+  }
+
   /**
    * Find Managed Policies
    * related to this IAM Role

src/services/iamRole/data.ts

@@ -6,12 +6,13 @@ import { AWSError } from 'aws-sdk/lib/error'
 
 import IAM, {
   AttachedPolicy,
+  GetAccountAuthorizationDetailsResponse,
   GetRoleResponse,
   ListAttachedRolePoliciesResponse,
-  ListRolePoliciesResponse,
   ListRolesResponse,
   ListRoleTagsResponse,
   Role,
+  RoleDetail,
 } from 'aws-sdk/clients/iam'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -38,10 +39,11 @@ const customRetrySettings = setAwsRetryOptions({
 })
 
 export interface RawAwsIamRole extends Omit<Role, 'Tags'> {
-  Policies: string[]
   ManagedPolicies: AttachedPolicy[]
   region: string
   Tags?: TagMap
+  PermissionsBoundaryArn: string
+  InlinePolicies: Array<{ name: string; document: string }>
 }
 
 const roleByRoleName = async (
@@ -99,68 +101,73 @@ const tagsByRoleName = async (
     )
   })
 
-const policiesByRoleName = async (
+const managedPoliciesByRoleName = async (
   iam: IAM,
   { RoleName }: Role
-): Promise<{ RoleName: string; Policies: string[] }> =>
+): Promise<{ RoleName: string; ManagedPolicies: AttachedPolicy[] }> =>
   new Promise(resolve => {
-    iam.listRolePolicies(
+    iam.listAttachedRolePolicies(
       { RoleName },
-      (err: AWSError, data: ListRolePoliciesResponse) => {
+      (err: AWSError, data: ListAttachedRolePoliciesResponse) => {
         if (err) {
           errorLog.generateAwsErrorLog({
-            functionName: 'iam:listRolePolicies',
+            functionName: 'iam:listAttachedRolePolicies',
             err,
           })
         }
 
         if (!isEmpty(data)) {
-          const { PolicyNames = [] } = data
+          const { AttachedPolicies = [] } = data
 
-          resolve({ RoleName, Policies: PolicyNames })
+          resolve({
+            RoleName,
+            ManagedPolicies: AttachedPolicies,
+          })
         }
 
         resolve(null)
       }
     )
   })
 
-const managedPoliciesByRoleName = async (
+export const getAccountAuthorizationDetails = async (
   iam: IAM,
-  { RoleName }: Role
-): Promise<{ RoleName: string; ManagedPolicies: AttachedPolicy[] }> =>
+  marker?: string
+): Promise<RoleDetail[]> =>
   new Promise(resolve => {
-    iam.listAttachedRolePolicies(
-      { RoleName },
-      (err: AWSError, data: ListAttachedRolePoliciesResponse) => {
+    const result: RoleDetail[] = []
+    iam.getAccountAuthorizationDetails(
+      { Filter: ['Role'], Marker: marker },
+      async (err: AWSError, data: GetAccountAuthorizationDetailsResponse) => {
         if (err) {
           errorLog.generateAwsErrorLog({
-            functionName: 'iam:listAttachedRolePolicies',
+            functionName: 'iam:getAccountAuthorizationDetails',
             err,
           })
         }
-
-        if (!isEmpty(data)) {
-          const { AttachedPolicies = [] } = data
-
-          resolve({
-            RoleName,
-            ManagedPolicies: AttachedPolicies,
-          })
+        if (!isEmpty(data) && !isEmpty(data.RoleDetailList)) {
+          const { Marker, IsTruncated, RoleDetailList } = data
+          result.push(...RoleDetailList)
+          if (IsTruncated) {
+            result.push(...(await getAccountAuthorizationDetails(iam, Marker)))
+          }
+          resolve(result)
         }
-
-        resolve(null)
       }
     )
   })
 
-export const listIamRoles = async (
-  iam: IAM,
+export const listIamRoles = async ({
+  iam,
+  marker,
+  roleAuthorizationDetails,
+}: {
+  iam: IAM
   marker?: string
-): Promise<RawAwsIamRole[]> =>
+  roleAuthorizationDetails: RoleDetail[]
+}): Promise<RawAwsIamRole[]> =>
   new Promise(resolve => {
     const result: RawAwsIamRole[] = []
-    const policiesByRoleNamePromises = []
     const tagsByRoleNamePromises = []
     const managedPoliciesByRoleNamePromises = []
     const roleByRoleNamePromises: Promise<{ RoleName: string; Role: Role }>[] =
@@ -180,23 +187,27 @@ export const listIamRoles = async (
 
           roles.map(role => {
             tagsByRoleNamePromises.push(tagsByRoleName(iam, role))
-            policiesByRoleNamePromises.push(policiesByRoleName(iam, role))
             managedPoliciesByRoleNamePromises.push(
               managedPoliciesByRoleName(iam, role)
             )
             roleByRoleNamePromises.push(roleByRoleName(iam, role))
           })
 
           const tags = await Promise.all(tagsByRoleNamePromises)
-          const policies = await Promise.all(policiesByRoleNamePromises)
           const managedPolicies = await Promise.all(
             managedPoliciesByRoleNamePromises
           )
           const detailedRoles = await Promise.all(roleByRoleNamePromises)
 
           result.push(
             ...roles.map(
-              ({ RoleName, AssumeRolePolicyDocument, Tags, ...role }) => {
+              ({
+                RoleName,
+                AssumeRolePolicyDocument,
+                PermissionsBoundary,
+                Tags,
+                ...role
+              }) => {
                 return {
                   RoleName,
                   AssumeRolePolicyDocument: decodeURIComponent(
@@ -207,24 +218,33 @@ export const listIamRoles = async (
                   RoleLastUsed: detailedRoles?.find(
                     r => r?.RoleName === RoleName
                   )?.Role.RoleLastUsed,
-                  Policies:
-                    policies
-                      ?.filter(p => p?.RoleName === RoleName)
-                      .map(p => p.Policies)
-                      .reduce((current, acc) => [...acc, ...current], []) || [],
                   ManagedPolicies:
                     managedPolicies
                       ?.filter(p => p?.RoleName === RoleName)
                       .map(p => p.ManagedPolicies)
                       .reduce((current, acc) => [...acc, ...current], []) || [],
                   Tags: tags.find(t => t?.RoleName === RoleName)?.Tags || {},
+                  PermissionsBoundaryArn:
+                    PermissionsBoundary.PermissionsBoundaryArn,
+                  InlinePolicies: roleAuthorizationDetails
+                    .find(rAD => rAD.RoleName === RoleName)
+                    .RolePolicyList.map(rPl => ({
+                      name: rPl.PolicyName,
+                      document: rPl.PolicyDocument,
+                    })),
                 }
               }
             )
           )
 
           if (IsTruncated) {
-            result.push(...(await listIamRoles(iam, Marker)))
+            result.push(
+              ...(await listIamRoles({
+                iam,
+                marker: Marker,
+                roleAuthorizationDetails,
+              }))
+            )
           }
 
           resolve(result)
@@ -259,8 +279,12 @@ export default async ({
 
     logger.debug(lt.lookingForIamRoles)
 
+    // Fetch role authorization details first
+    const roleAuthorizationDetails = await getAccountAuthorizationDetails(
+      client
+    )
     // Fetch IAM Roles
-    rolesData = await listIamRoles(client)
+    rolesData = await listIamRoles({ iam: client, roleAuthorizationDetails })
 
     errorLog.reset()
     logger.debug(lt.foundRoles(rolesData.length))

src/services/iamRole/format.ts

@@ -1,3 +1,4 @@
+import cuid from 'cuid'
 import { AwsIamRole } from '../../types/generated'
 import { formatTagsFromMap, formatIamJsonPolicy } from '../../utils/format'
 
@@ -24,7 +25,7 @@ export default ({
     RoleLastUsed,
     AssumeRolePolicyDocument: assumeRolePolicy = '',
     MaxSessionDuration: maxSessionDuration = 0,
-    Policies: inlinePolicies = [],
+    InlinePolicies: inlinePolicies = [],
     Tags: tags = {},
   } = rawData
 
@@ -43,7 +44,13 @@ export default ({
     rawPolicy: assumeRolePolicy,
     assumeRolePolicy: formatIamJsonPolicy(assumeRolePolicy),
     maxSessionDuration,
-    inlinePolicies,
+    inlinePolicies: inlinePolicies.map(
+      ({ name: inlinePolicyName, document: inlinePolicyDocument }) => ({
+        id: cuid(),
+        name: inlinePolicyName,
+        document: formatIamJsonPolicy(inlinePolicyDocument),
+      })
+    ) ?? [],
     tags: roleTags,
   }
   return role

src/services/iamRole/schema.graphql

@@ -1,3 +1,14 @@
+type awsIamRoleInlinePolicy
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+  id: String! @id @search(by: [hash])
+  name: String @search(by: [hash, regexp])
+  document: awsIamJSONPolicy
+}
+
 type awsIamRole implements awsBaseService @key(fields: "id") {
   name: String @search(by: [hash, regexp])
   path: String @search(by: [hash, regexp])
@@ -8,7 +19,7 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   lastUsedDate: DateTime @search(by: [day])
   maxSessionDuration: Int @search
   tags: [awsRawTag]
-  inlinePolicies: [String]
+  inlinePolicies: [awsIamRoleInlinePolicy]
   cloudFormationStack: [awsCloudFormationStack] @hasInverse(field: iamRole)
   codebuilds: [awsCodebuild] @hasInverse(field: iamRoles)
   configurationRecorder: [awsConfigurationRecorder] @hasInverse(field: iamRole)
@@ -20,6 +31,8 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   glueJobs: [awsGlueJob] @hasInverse(field: iamRole)
   guardDutyDetectors: [awsGuardDutyDetector] @hasInverse(field: iamRole)
   iamAttachedPolicies: [awsIamPolicy] @hasInverse(field: iamRoles)
+  iamPermissionBoundaryPolicy: [awsIamPolicy]
+    @hasInverse(field: permissionBoundaryOf)
   iamInstanceProfiles: [awsIamInstanceProfile] @hasInverse(field: iamRole)
   managedAirflows: [awsManagedAirflow] @hasInverse(field: iamRoles)
   sageMakerNotebookInstances: [awsSageMakerNotebookInstance]

src/types/generated.ts

@@ -3150,6 +3150,7 @@ export type AwsIamPolicy = AwsBaseService & {
   iamUsers?: Maybe<Array<Maybe<AwsIamUser>>>;
   name?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
+  permissionBoundaryOf?: Maybe<Array<Maybe<AwsIamRole>>>;
   policyContent?: Maybe<AwsIamJsonPolicy>;
   rawPolicy?: Maybe<Scalars['String']>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
@@ -3182,7 +3183,8 @@ export type AwsIamRole = AwsBaseService & {
   guardDutyDetectors?: Maybe<Array<Maybe<AwsGuardDutyDetector>>>;
   iamAttachedPolicies?: Maybe<Array<Maybe<AwsIamPolicy>>>;
   iamInstanceProfiles?: Maybe<Array<Maybe<AwsIamInstanceProfile>>>;
-  inlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
+  iamPermissionBoundaryPolicy?: Maybe<Array<Maybe<AwsIamPolicy>>>;
+  inlinePolicies?: Maybe<Array<Maybe<AwsIamRoleInlinePolicy>>>;
   kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
   lambda?: Maybe<Array<Maybe<AwsLambda>>>;
   lastUsedDate?: Maybe<Scalars['DateTime']>;
@@ -3199,6 +3201,11 @@ export type AwsIamRole = AwsBaseService & {
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
 };
 
+export type AwsIamRoleInlinePolicy = {
+  document?: Maybe<AwsIamJsonPolicy>;
+  name?: Maybe<Scalars['String']>;
+};
+
 export type AwsIamSamlProvider = AwsOptionalService & {
   awsCognitoIdentityPool?: Maybe<Array<Maybe<AwsCognitoIdentityPool>>>;
   createdDate?: Maybe<Scalars['String']>;