o g.@s ddZdS)cCsVgd}|}g}|D] }||vr||q t|dkr)|jdd|iddSdS)a from policy_sentry.shared.database import connect_db from policy_sentry.querying.actions import get_actions_with_access_level db_session = connect_db("bundled") permissions_management_actions = get_actions_with_access_level( db_session, "all", "Permissions management" ) permissions_management_actions_normalized = [ x.lower() for x in permissions_management_actions ] permissions_management_actions = permissions_management_actions_normalized (zacm-pca:createpermissionzacm-pca:deletepermissionz$backup:deletebackupvaultaccesspolicyz!backup:putbackupvaultaccesspolicyz0chime:deletevoiceconnectorterminationcredentialsz-chime:putvoiceconnectorterminationcredentialszcloudformation:setstackpolicyz'cloudsearch:updateserviceaccesspolicieszcodebuild:deleteresourcepolicyz!codebuild:deletesourcecredentialsz!codebuild:importsourcecredentialszcodebuild:putresourcepolicyzcodestar:associateteammemberzcodestar:createprojectzcodestar:deleteprojectzcodestar:disassociateteammemberzcodestar:updateteammemberz#cognito-identity:createidentitypoolz!cognito-identity:deleteidentitiesz#cognito-identity:deleteidentitypoolzcognito-identity:getidz)cognito-identity:mergedeveloperidentitiesz%cognito-identity:setidentitypoolrolesz(cognito-identity:unlinkdeveloperidentityzcognito-identity:unlinkidentityz#cognito-identity:updateidentitypoolzconnect:getfederationtokenzconnect:getfederationtokensz&deeplens:associateserviceroletoaccountzds:createconditionalforwarderzds:createdirectoryzds:createidentitypooldirectoryzds:createmicrosoftadzds:createtrustzds:sharedirectoryz$ec2:createnetworkinterfacepermissionz$ec2:deletenetworkinterfacepermissionzec2:modifysnapshotattributez'ec2:modifyvpcendpointservicepermissionszec2:resetsnapshotattributezecr:setrepositorypolicyz2elasticmapreduce:putblockpublicaccessconfigurationzes:createelasticsearchdomainz"es:updateelasticsearchdomainconfigz!gamelift:requestuploadcredentialszglacier:abortvaultlockzglacier:completevaultlockzglacier:deletevaultaccesspolicyzglacier:initiatevaultlockzglacier:setdataretrievalpolicyzglacier:setvaultaccesspolicyzglue:deleteresourcepolicyzglue:putresourcepolicyz(greengrass:associateserviceroletoaccountz1health:describehealthservicestatusfororganizationz0health:disablehealthserviceaccessfororganizationz/health:enablehealthserviceaccessfororganizationz&iam:addclientidtoopenidconnectproviderziam:addroletoinstanceprofileziam:addusertogroupziam:attachgrouppolicyziam:attachrolepolicyziam:attachuserpolicyziam:changepasswordziam:createaccesskeyziam:createaccountaliasziam:creategroupziam:createinstanceprofileziam:createloginprofileziam:createopenidconnectproviderziam:createpolicyziam:createpolicyversionziam:createroleziam:createsamlproviderziam:createservicelinkedrolez#iam:createservicespecificcredentialziam:createuserziam:createvirtualmfadeviceziam:deactivatemfadeviceziam:deleteaccesskeyziam:deleteaccountaliasziam:deleteaccountpasswordpolicyziam:deletegroupziam:deletegrouppolicyziam:deleteinstanceprofileziam:deleteloginprofileziam:deleteopenidconnectproviderziam:deletepolicyziam:deletepolicyversionziam:deleterolez!iam:deleterolepermissionsboundaryziam:deleterolepolicyziam:deletesamlproviderziam:deletesshpublickeyziam:deleteservercertificateziam:deleteservicelinkedrolez#iam:deleteservicespecificcredentialziam:deletesigningcertificateziam:deleteuserz!iam:deleteuserpermissionsboundaryziam:deleteuserpolicyziam:deletevirtualmfadeviceziam:detachgrouppolicyziam:detachrolepolicyziam:detachuserpolicyziam:enablemfadevicez iam:passroleziam:putgrouppolicyziam:putrolepermissionsboundaryziam:putrolepolicyziam:putuserpermissionsboundaryziam:putuserpolicyz+iam:removeclientidfromopenidconnectproviderz!iam:removerolefrominstanceprofileziam:removeuserfromgroupz"iam:resetservicespecificcredentialziam:resyncmfadeviceziam:setdefaultpolicyversionz&iam:setsecuritytokenservicepreferencesziam:updateaccesskeyziam:updateaccountpasswordpolicyziam:updateassumerolepolicyziam:updategroupziam:updateloginprofilez)iam:updateopenidconnectproviderthumbprintziam:updateroleziam:updateroledescriptionziam:updatesamlproviderziam:updatesshpublickeyziam:updateservercertificatez#iam:updateservicespecificcredentialziam:updatesigningcertificateziam:updateuserziam:uploadsshpublickeyziam:uploadservercertificateziam:uploadsigningcertificatezimagebuilder:getcomponentpolicyzimagebuilder:putcomponentpolicyzimagebuilder:putimagepolicyz!imagebuilder:putimagerecipepolicyziot:attachpolicyziot:attachprincipalpolicyziot:detachpolicyziot:detachprincipalpolicyziot:setdefaultauthorizerziot:setdefaultpolicyversionziotsitewise:createaccesspolicyziotsitewise:deleteaccesspolicyziotsitewise:listaccesspoliciesziotsitewise:updateaccesspolicyzkms:creategrantz kms:createkeyzkms:putkeypolicyzkms:retiregrantzkms:revokegrantz#lakeformation:batchgrantpermissionsz$lakeformation:batchrevokepermissionszlakeformation:grantpermissionsz!lakeformation:putdatalakesettingszlakeformation:revokepermissionsz lambda:addlayerversionpermissionzlambda:addpermissionzlambda:disablereplicationzlambda:enablereplicationz#lambda:removelayerversionpermissionzlambda:removepermissionz%license-manager:updateservicesettingsz"lightsail:getinstanceaccessdetailsz1lightsail:getrelationaldatabasemasteruserpasswordzlogs:deleteresourcepolicyzlogs:putresourcepolicyz,mediapackage:rotateingestendpointcredentialsz mediastore:deletecontainerpolicyzmediastore:putcontainerpolicyzopsworks:setpermissionzopsworks:updateuserprofilez!ram:acceptresourceshareinvitationzram:associateresourcesharezram:createresourcesharezram:deleteresourcesharezram:disassociateresourcesharez$ram:enablesharingwithawsorganizationz!ram:rejectresourceshareinvitationzram:updateresourcesharez#rds:authorizedbsecuritygroupingresszrds-db:connectz redshift:authorizesnapshotaccesszredshift:createclusteruserz redshift:createsnapshotcopygrantzredshift:getclustercredentialszredshift:joingroupzredshift:modifyclusteriamroleszredshift:revokesnapshotaccesszs3:bypassgovernanceretentionzs3:deleteaccesspointpolicyzs3:deletebucketpolicyz#s3:objectowneroverridetobucketownerzs3:putaccesspointpolicyzs3:putaccountpublicaccessblockzs3:putbucketaclzs3:putbucketpolicyzs3:putbucketpublicaccessblockzs3:putobjectaclzs3:putobjectversionaclz#secretsmanager:deleteresourcepolicyz secretsmanager:putresourcepolicyzsns:addpermissionzsns:createtopiczsns:removepermissionzsns:settopicattributeszsqs:addpermissionzsqs:createqueuezsqs:removepermissionzsqs:setqueueattributeszssm:modifydocumentpermissionzsso:associatedirectoryzsso:associateprofilezsso:createapplicationinstancez(sso:createapplicationinstancecertificatezsso:createpermissionsetzsso:createprofilezsso:createtrustzsso:deleteapplicationinstancez(sso:deleteapplicationinstancecertificatezsso:deletepermissionsetzsso:deletepermissionspolicyzsso:deleteprofilezsso:disassociatedirectoryzsso:disassociateprofilez4sso:importapplicationinstanceserviceprovidermetadatazsso:putpermissionspolicyz sso:startssoz.sso:updateapplicationinstanceactivecertificatez(sso:updateapplicationinstancedisplaydataz2sso:updateapplicationinstanceresponseconfigurationz8sso:updateapplicationinstanceresponseschemaconfigurationz2sso:updateapplicationinstancesecurityconfigurationz9sso:updateapplicationinstanceserviceproviderconfigurationz#sso:updateapplicationinstancestatuszsso:updatedirectoryassociationzsso:updatepermissionsetzsso:updateprofilezsso:updatessoconfigurationzsso:updatetrustzsso-directory:addmembertogroupzsso-directory:createaliaszsso-directory:creategroupzsso-directory:createuserzsso-directory:deletegroupzsso-directory:deleteuserzsso-directory:disableuserzsso-directory:enableuserz#sso-directory:removememberfromgroupzsso-directory:updategroupzsso-directory:updatepasswordzsso-directory:updateuserzsso-directory:verifyemailz$storagegateway:deletechapcredentialsz&storagegateway:setlocalconsolepasswordz"storagegateway:setsmbguestpasswordz$storagegateway:updatechapcredentialszwaf:deletepermissionpolicyzwaf:getchangetokenzwaf:putpermissionpolicyz#waf-regional:deletepermissionpolicyzwaf-regional:getchangetokenz waf-regional:putpermissionpolicyzwafv2:createwebaclzwafv2:deletewebaclzwafv2:updatewebaclz(worklink:updatedevicepolicyconfigurationzworkmail:resetpasswordzworkmail:resetuserpasswordzxray:putencryptionconfigPERMISSIONS_MANAGEMENT_ACTIONSactions)locationN)get_allowed_actionsappendlen add_finding)policypermissions_management_actionsr(permissions_management_actions_in_policyactionr r/home/ubuntu/cloudmapper/venv/lib/python3.10/site-packages/parliament/community_auditors/permissions_management.pyaudits   rN)rr r r rs