fix(iamRole): added iamBoundaryPermissionPolicy relation and inline policies json documents

Author: hjaraujof

src/services/iamPolicy/schema.graphql

@@ -8,6 +8,7 @@ type awsIamPolicy implements awsBaseService @key(fields: "id") {
   iamRoles: [awsIamRole] @hasInverse(field: iamAttachedPolicies)
   iamGroups: [awsIamGroup] @hasInverse(field: iamAttachedPolicies)
   iamUsers: [awsIamUser] @hasInverse(field: iamAttachedPolicies)
+  permissionboundaryOf: [awsIamRole] @hasInverse(field: iamPermissionBoundaryPolicy)
 }
 
 type awsIamJSONPolicy

src/services/iamRole/connections.ts

@@ -34,14 +34,35 @@ export default ({
   region: string
 }): { [key: string]: ServiceConnection[] } => {
   const connections: ServiceConnection[] = []
-  const { Arn: id, ManagedPolicies: managedPolicies } = role
+  const {
+    Arn: id,
+    ManagedPolicies: managedPolicies,
+    PermissionsBoundaryArn,
+  } = role
 
   const policies: RawAwsIamPolicy[] =
     flatMap(
       data.find(({ name: serviceName }) => serviceName === services.iamPolicy)
         ?.data
     ) || []
 
+  /** Find Permission Boundary Policy
+   *  related to this IAM Role
+   */
+
+  const permissionBoundaryPolicy = policies.find(
+    ({ Arn: arn }: RawAwsIamPolicy) => PermissionsBoundaryArn === arn
+  )
+
+  if (permissionBoundaryPolicy) {
+    connections.push({
+      id: PermissionsBoundaryArn,
+      resourceType: services.iamPolicy,
+      relation: 'child',
+      field: 'iamPermissionBoundaryPolicy',
+    })
+  }
+
   /**
    * Find Managed Policies
    * related to this IAM Role

src/services/iamRole/data.ts

@@ -6,12 +6,14 @@ import { AWSError } from 'aws-sdk/lib/error'
 
 import IAM, {
   AttachedPolicy,
+  GetAccountAuthorizationDetailsResponse,
   GetRoleResponse,
   ListAttachedRolePoliciesResponse,
   ListRolePoliciesResponse,
   ListRolesResponse,
   ListRoleTagsResponse,
   Role,
+  RoleDetail,
 } from 'aws-sdk/clients/iam'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -38,10 +40,12 @@ const customRetrySettings = setAwsRetryOptions({
 })
 
 export interface RawAwsIamRole extends Omit<Role, 'Tags'> {
-  Policies: string[]
   ManagedPolicies: AttachedPolicy[]
   region: string
   Tags?: TagMap
+  PermissionsBoundaryArn: string
+  InlinePoliciesName: string[]
+  InlinePoliciesDocuments: string[]
 }
 
 const roleByRoleName = async (
@@ -154,10 +158,42 @@ const managedPoliciesByRoleName = async (
     )
   })
 
-export const listIamRoles = async (
+export const getAccountAuthorizationDetails = async (
   iam: IAM,
   marker?: string
-): Promise<RawAwsIamRole[]> =>
+): Promise<RoleDetail[]> =>
+  new Promise(resolve => {
+    const result: RoleDetail[] = []
+    iam.getAccountAuthorizationDetails(
+      { Filter: ['Role'], Marker: marker },
+      async (err: AWSError, data: GetAccountAuthorizationDetailsResponse) => {
+        if (err) {
+          errorLog.generateAwsErrorLog({
+            functionName: 'iam:getAccountAuthorizationDetails',
+            err,
+          })
+        }
+        if (!isEmpty(data) && !isEmpty(data.RoleDetailList)) {
+          const { Marker, IsTruncated, RoleDetailList } = data
+          result.push(...RoleDetailList)
+          if (IsTruncated) {
+            result.push(...(await getAccountAuthorizationDetails(iam, Marker)))
+          }
+          resolve(result)
+        }
+      }
+    )
+  })
+
+export const listIamRoles = async ({
+  iam,
+  marker,
+  roleAuthorizationDetails,
+}: {
+  iam: IAM
+  marker?: string
+  roleAuthorizationDetails: RoleDetail[]
+}): Promise<RawAwsIamRole[]> =>
   new Promise(resolve => {
     const result: RawAwsIamRole[] = []
     const policiesByRoleNamePromises = []
@@ -196,7 +232,13 @@ export const listIamRoles = async (
 
           result.push(
             ...roles.map(
-              ({ RoleName, AssumeRolePolicyDocument, Tags, ...role }) => {
+              ({
+                RoleName,
+                AssumeRolePolicyDocument,
+                PermissionsBoundary,
+                Tags,
+                ...role
+              }) => {
                 return {
                   RoleName,
                   AssumeRolePolicyDocument: decodeURIComponent(
@@ -207,7 +249,7 @@ export const listIamRoles = async (
                   RoleLastUsed: detailedRoles?.find(
                     r => r?.RoleName === RoleName
                   )?.Role.RoleLastUsed,
-                  Policies:
+                  InlinePoliciesName:
                     policies
                       ?.filter(p => p?.RoleName === RoleName)
                       .map(p => p.Policies)
@@ -218,13 +260,24 @@ export const listIamRoles = async (
                       .map(p => p.ManagedPolicies)
                       .reduce((current, acc) => [...acc, ...current], []) || [],
                   Tags: tags.find(t => t?.RoleName === RoleName)?.Tags || {},
+                  PermissionsBoundaryArn:
+                    PermissionsBoundary.PermissionsBoundaryArn,
+                  InlinePoliciesDocuments: roleAuthorizationDetails
+                    .find(rAD => rAD.RoleName === RoleName)
+                    .RolePolicyList.map(rPl => rPl.PolicyDocument),
                 }
               }
             )
           )
 
           if (IsTruncated) {
-            result.push(...(await listIamRoles(iam, Marker)))
+            result.push(
+              ...(await listIamRoles({
+                iam,
+                marker: Marker,
+                roleAuthorizationDetails,
+              }))
+            )
           }
 
           resolve(result)
@@ -259,8 +312,12 @@ export default async ({
 
     logger.debug(lt.lookingForIamRoles)
 
+    // Fetch role authorization details first
+    const roleAuthorizationDetails = await getAccountAuthorizationDetails(
+      client
+    )
     // Fetch IAM Roles
-    rolesData = await listIamRoles(client)
+    rolesData = await listIamRoles({ iam: client, roleAuthorizationDetails })
 
     errorLog.reset()
     logger.debug(lt.foundRoles(rolesData.length))

src/services/iamRole/format.ts

@@ -24,7 +24,8 @@ export default ({
     RoleLastUsed,
     AssumeRolePolicyDocument: assumeRolePolicy = '',
     MaxSessionDuration: maxSessionDuration = 0,
-    Policies: inlinePolicies = [],
+    InlinePoliciesName: inlinePolicies = [],
+    InlinePoliciesDocuments: inlineFormattedPolicies,
     Tags: tags = {},
   } = rawData
 
@@ -44,6 +45,9 @@ export default ({
     assumeRolePolicy: formatIamJsonPolicy(assumeRolePolicy),
     maxSessionDuration,
     inlinePolicies,
+    inlineFormattedPolicies: inlineFormattedPolicies.map(p =>
+      formatIamJsonPolicy(p)
+    ),
     tags: roleTags,
   }
   return role

src/services/iamRole/schema.graphql

@@ -9,6 +9,8 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   maxSessionDuration: Int @search
   tags: [awsRawTag]
   inlinePolicies: [String]
+  rawInlinePolicies: [String] @search(by: [hash, regexp])
+  inlineFormattedPolicies: [awsIamJSONPolicy]
   cloudFormationStack: [awsCloudFormationStack] @hasInverse(field: iamRole)
   codebuilds: [awsCodebuild] @hasInverse(field: iamRoles)
   configurationRecorder: [awsConfigurationRecorder] @hasInverse(field: iamRole)
@@ -20,6 +22,7 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   glueJobs: [awsGlueJob] @hasInverse(field: iamRole)
   guardDutyDetectors: [awsGuardDutyDetector] @hasInverse(field: iamRole)
   iamAttachedPolicies: [awsIamPolicy] @hasInverse(field: iamRoles)
+  iamPermissionBoundaryPolicy: [awsIamPolicy] @hasInverse(field: permissionboundaryOf)
   iamInstanceProfiles: [awsIamInstanceProfile] @hasInverse(field: iamRole)
   managedAirflows: [awsManagedAirflow] @hasInverse(field: iamRoles)
   sageMakerNotebookInstances: [awsSageMakerNotebookInstance]

src/types/generated.ts

@@ -3150,6 +3150,7 @@ export type AwsIamPolicy = AwsBaseService & {
   iamUsers?: Maybe<Array<Maybe<AwsIamUser>>>;
   name?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
+  permissionboundaryOf?: Maybe<Array<Maybe<AwsIamRole>>>;
   policyContent?: Maybe<AwsIamJsonPolicy>;
   rawPolicy?: Maybe<Scalars['String']>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
@@ -3182,6 +3183,8 @@ export type AwsIamRole = AwsBaseService & {
   guardDutyDetectors?: Maybe<Array<Maybe<AwsGuardDutyDetector>>>;
   iamAttachedPolicies?: Maybe<Array<Maybe<AwsIamPolicy>>>;
   iamInstanceProfiles?: Maybe<Array<Maybe<AwsIamInstanceProfile>>>;
+  iamPermissionBoundaryPolicy?: Maybe<Array<Maybe<AwsIamPolicy>>>;
+  inlineFormattedPolicies?: Maybe<Array<Maybe<AwsIamJsonPolicy>>>;
   inlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
   kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
   lambda?: Maybe<Array<Maybe<AwsLambda>>>;
@@ -3190,6 +3193,7 @@ export type AwsIamRole = AwsBaseService & {
   maxSessionDuration?: Maybe<Scalars['Int']>;
   name?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
+  rawInlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
   rawPolicy?: Maybe<Scalars['String']>;
   rdsCluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;