haydenbbickerton · October 30, 2018 15:41
diff --git a/aws_risks.py b/aws_risks.py
 # A small module for judging "risk" of a permission based on service and action
 #
 # The goal here is to categorize common AWS actions in a way that can be easily referenced by
 # either the end user, or internal script, or whatever else.
 #
 # More of this to come later
 from boltons import mathutils, strutils


 # Default baseline risk scores, should be configured
 RISKS_SERVICES = {
    'cloudtrail': 3,
    'kms': 3,
    'lambda': 2,
    'rds': 3,
    'route53': 4,
    'iam': 4
 }

 # auto generated from the first word of actions
 # ie: for "DeleteProject", operation is "Delete" and target is "Project"
 RISKS_ACTIONS = {
    'MUTATE':  {
        'risk': 5,
        'words': [
            'create', 'delete', 'destroy', 'modify', 'add', 'remove', 'set', 'update', 'put', 'reset'
        ],
    },
    'READ':  {
        'risk': 1,
        'words': [
            'get', 'view', 'list', 'describe'
        ],
    },
    'CONDUCT': {
        'risk': 5,
        'words': [
            'start', 'stop', 'suspend', 'run', 'cancel', 'continue', 'resume',
            'fail', 'execute', 'enter', 'exit', 'reboot'
        ]
    },
    'ORGANIZE': {
        'risk': 5,
        'words':  [
            'attach', 'detach',  'release', 'associate', 'disassociate', 'allocate', 'release'
            'authorize', 'revoke', 'register', 'deregister', 'activate', 'deactivate', 'enable',
        ]
    },
    'INTERACT': {
        'risk': 4,
        'words':  [
            'request', 'respond', 'query', 'search', 'send', 'resend', 'publish',  'notify'
        ]
    },
    'SIDE_EFFECT': {
        'risk': 3,
        'words':  [
            'simulate', 'export', 'record',  'estimate', 'preview', 'validate'
        ]
    }
 }

 # from remaining words in action
 RISKS_ACTIONS.update({
    'TARGET_DATA': {
        'risk': 1,
        'words': [
            'object', 'bucket', 'database', 'content', 'table', 'text', 'tags'
        ]
    },
    'TARGET_ASPECT': {
        'risk': 2,
        'words': ['policy', 'attribute', 'permission', 'status', 'grants', 'settings', ]
    }
 })


 def calculate_risk_level(score):
    levels = {
        'NIL': 0, # need a keyword for "no risk", but don't want to use NONE bc python
        'LOW': 2,
        'MEDIUM': 5,
        'HIGH': 7,
        'CRITICAL': 10
    }

    inv_levels = {v:k for k,v in levels.items()}
    score = mathutils.floor(score, levels.values())

    risk_level = inv_levels[score]
    return risk_level



 def calculate_permission_risk(permission):
    service, action = strutils.split_punct_ws(permission)
    action_words = strutils.camel2under(action).split('_')

    tags = []
    score = RISKS_SERVICES.get(service.lower(), 0) # start with score of (potentially) risky service (like iam, rds)
    for name, info in RISKS_ACTIONS.items():
        matched = (set(action_words) & set(info['words']))
        if bool(matched):
            tags.append(name)
            score += info['risk']

    return tags, score
	# A small module for judging "risk" of a permission based on service and action
	#
	# The goal here is to categorize common AWS actions in a way that can be easily referenced by
	# either the end user, or internal script, or whatever else.
	#
	# More of this to come later
	from boltons import mathutils, strutils


	# Default baseline risk scores, should be configured
	RISKS_SERVICES = {
	'cloudtrail': 3,
	'kms': 3,
	'lambda': 2,
	'rds': 3,
	'route53': 4,
	'iam': 4
	}

	# auto generated from the first word of actions
	# ie: for "DeleteProject", operation is "Delete" and target is "Project"
	RISKS_ACTIONS = {
	'MUTATE': {
	'risk': 5,
	'words': [
	'create', 'delete', 'destroy', 'modify', 'add', 'remove', 'set', 'update', 'put', 'reset'
	],
	},
	'READ': {
	'risk': 1,
	'words': [
	'get', 'view', 'list', 'describe'
	],
	},
	'CONDUCT': {
	'risk': 5,
	'words': [
	'start', 'stop', 'suspend', 'run', 'cancel', 'continue', 'resume',
	'fail', 'execute', 'enter', 'exit', 'reboot'
	]
	},
	'ORGANIZE': {
	'risk': 5,
	'words': [
	'attach', 'detach', 'release', 'associate', 'disassociate', 'allocate', 'release'
	'authorize', 'revoke', 'register', 'deregister', 'activate', 'deactivate', 'enable',
	]
	},
	'INTERACT': {
	'risk': 4,
	'words': [
	'request', 'respond', 'query', 'search', 'send', 'resend', 'publish', 'notify'
	]
	},
	'SIDE_EFFECT': {
	'risk': 3,
	'words': [
	'simulate', 'export', 'record', 'estimate', 'preview', 'validate'
	]
	}
	}

	# from remaining words in action
	RISKS_ACTIONS.update({
	'TARGET_DATA': {
	'risk': 1,
	'words': [
	'object', 'bucket', 'database', 'content', 'table', 'text', 'tags'
	]
	},
	'TARGET_ASPECT': {
	'risk': 2,
	'words': ['policy', 'attribute', 'permission', 'status', 'grants', 'settings', ]
	}
	})


	def calculate_risk_level(score):
	levels = {
	'NIL': 0, # need a keyword for "no risk", but don't want to use NONE bc python
	'LOW': 2,
	'MEDIUM': 5,
	'HIGH': 7,
	'CRITICAL': 10
	}

	inv_levels = {v:k for k,v in levels.items()}
	score = mathutils.floor(score, levels.values())

	risk_level = inv_levels[score]
	return risk_level



	def calculate_permission_risk(permission):
	service, action = strutils.split_punct_ws(permission)
	action_words = strutils.camel2under(action).split('_')

	tags = []
	score = RISKS_SERVICES.get(service.lower(), 0) # start with score of (potentially) risky service (like iam, rds)
	for name, info in RISKS_ACTIONS.items():
	matched = (set(action_words) & set(info['words']))
	if bool(matched):
	tags.append(name)
	score += info['risk']

	return tags, score