{"id":13445067,"url":"https://github.com/salesforce/policy_sentry","last_synced_at":"2026-04-14T03:00:49.123Z","repository":{"id":35155296,"uuid":"209652627","full_name":"salesforce/policy_sentry","owner":"salesforce","description":"IAM Least Privilege Policy Generator","archived":false,"fork":false,"pushed_at":"2026-04-05T22:14:52.000Z","size":41975,"stargazers_count":2140,"open_issues_count":8,"forks_count":152,"subscribers_count":23,"default_branch":"master","last_synced_at":"2026-04-05T23:26:08.633Z","etag":null,"topics":["aws","aws-security","cloud","cloudsecurity","hacktoberfest","iam","iam-policy","salesforce","security"],"latest_commit_sha":null,"homepage":"https://policy-sentry.readthedocs.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salesforce.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-09-19T21:35:53.000Z","updated_at":"2026-04-05T22:11:37.000Z","dependencies_parsed_at":"2025-12-20T04:01:54.407Z","dependency_job_id":null,"html_url":"https://github.com/salesforce/policy_sentry","commit_stats":{"total_commits":810,"total_committers":33,"mean_commits":"24.545454545454547","dds":0.4246913580246914,"last_synced_commit":"33a4f167b74cd1f9a59e7d0f98f4f890559b5df8"},"previous_names":[],"tags_count":92,"template":false,"template_full_name":null,"purl":"pkg:github/salesforce/policy_sentry","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpolicy_sentry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpolicy_sentry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpolicy_sentry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpolicy_sentry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salesforce","download_url":"https://codeload.github.com/salesforce/policy_sentry/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salesforce%2Fpolicy_sentry/sbom","scorecard":{"id":796370,"data":{"date":"2025-08-11","repo":{"name":"github.com/salesforce/policy_sentry","commit":"ca761286629af380bc35e929c7385f581d9f53ad"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.4,"checks":[{"name":"Maintained","score":5,"reason":"6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":1,"reason":"Found 1/7 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:106","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:78","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/update.yml:19","Warn: no topLevel permission defined: .github/workflows/bump-version.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-dependency-updater.yml:10","Warn: no topLevel permission defined: .github/workflows/release-drafter.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/update.yml:10"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:42"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Vulnerabilities","score":3,"reason":"7 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7","Warn: Project is vulnerable to: GHSA-gmj6-6f8f-6699","Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95","Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj","Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h","Warn: Project is vulnerable to: PYSEC-2023-117 / GHSA-mrwq-x4v8-fh7p","Warn: Project is vulnerable to: GHSA-jh85-wwv9-24hv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: containerImage not pinned by hash: Dockerfile:2","Warn: pipCommand not pinned by hash: Dockerfile:7-8","Warn: pipCommand not pinned by hash: Dockerfile:11-12","Warn: pipCommand not pinned by hash: utils/run_tests.sh:5","Warn: pipCommand not pinned by hash: utils/run_tests.sh:6","Warn: pipCommand not pinned by hash: utils/update-brew.sh:4","Warn: pipCommand not pinned by hash: utils/update-brew.sh:5","Warn: pipCommand not pinned by hash: utils/update-brew.sh:9","Warn: pipCommand not pinned by hash: utils/update-brew.sh:10","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:62","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:63","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:64","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:93","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:94","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:40","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:41","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:42","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:90","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:91","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:54","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:55","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:56","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:63","Warn: pipCommand not pinned by hash: .github/workflows/python-dependency-updater.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/python-dependency-updater.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/update.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/update.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/update.yml:67","Warn: pipCommand not pinned by hash: .github/workflows/update.yml:68","Info:  22 out of  22 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of  31 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-23T09:07:53.857Z","repository_id":35155296,"created_at":"2025-08-23T09:07:53.857Z","updated_at":"2025-08-23T09:07:53.857Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31779947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","cloud","cloudsecurity","hacktoberfest","iam","iam-policy","salesforce","security"],"created_at":"2024-07-31T04:00:53.197Z","updated_at":"2026-04-14T03:00:49.096Z","avatar_url":"https://github.com/salesforce.png","language":"Python","readme":"# Policy Sentry\n\nIAM Least Privilege Policy Generator.\n\n[![continuous-integration](https://github.com/salesforce/policy_sentry/workflows/continuous-integration/badge.svg?)](https://github.com/salesforce/policy_sentry/actions?query=workflow%3Acontinuous-integration)\n[![Documentation Status](https://readthedocs.org/projects/policy-sentry/badge/?version=latest)](https://policy-sentry.readthedocs.io/en/latest/?badge=latest)\n[![Join the chat at https://gitter.im/salesforce/policy_sentry](https://badges.gitter.im/salesforce/policy_sentry.svg)](https://gitter.im/salesforce/policy_sentry?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n[![Twitter](https://img.shields.io/twitter/url/https/twitter.com/kmcquade3.svg?style=social\u0026label=Follow%20the%20author)](https://twitter.com/kmcquade3)\n[![PyPI](https://img.shields.io/pypi/v/policy-sentry)](https://pypi.org/project/policy-sentry)\n[![Python Version](https://img.shields.io/pypi/pyversions/policy-sentry)](#)\n[![Downloads](https://static.pepy.tech/badge/policy-sentry)](https://pepy.tech/project/policy-sentry)\n\n![](https://raw.githubusercontent.com/salesforce/policy_sentry/master/examples/asciinema/policy_sentry.gif)\n\n- [Tutorial](#tutorial)\n  * [Installation](#installation)\n    + [Package managers](#package-managers)\n    + [Shell completion](#shell-completion)\n  * [Step 1: Create the Template](#step-1--create-the-template)\n  * [Step 2: Copy/paste ARNs](#step-2--copy-paste-arns)\n  * [Step 3: Write-policy command](#step-3--write-policy-command)\n- [Cheat sheets](#cheat-sheets)\n  * [Policy Writing cheat sheet](#policy-writing-cheat-sheet)\n  * [IAM Database Query Cheat Sheet](#iam-database-query-cheat-sheet)\n  * [Local Initialization (Optional)](#local-initialization--optional-)\n- [Other Usage](#other-usage)\n  * [Commands](#commands)\n  * [Python Library usage](#python-library-usage)\n  * [Docker](#docker)\n  * [Terraform](#terraform)\n- [References](#references)\n\n## Documentation\n\nFor walkthroughs and full documentation, please visit the [project on ReadTheDocs](https://policy-sentry.readthedocs.io/en/latest/index.html).\n\nSee the [Salesforce Engineering Blog post](https://engineering.salesforce.com/salesforce-cloud-security-automating-least-privilege-in-aws-iam-with-policy-sentry-b04fe457b8dc) on Policy Sentry.\n\n## Overview\n\nWriting security-conscious IAM Policies by hand can be very tedious and inefficient. Many Infrastructure as Code developers have experienced something like this:\n\n * Determined to make your best effort to give users and roles the least amount of privilege you need to perform your duties, you spend way too much time combing through the AWS IAM Documentation on [Actions, Resources, and Condition Keys for AWS Services][1].\n * Your team lead encourages you to build security into your IAM Policies for product quality, but eventually you get frustrated due to project deadlines.\n * You don't have an embedded security person on your team who can write those IAM Policies for you, and there's no automated tool that will automagically sense the AWS API calls that you perform and then write them for you with Resource ARN constraints.\n * After fantasizing about that level of automation, you realize that writing least privilege IAM Policies, seemingly out of charity, will jeopardize your ability to finish your code in time to meet project deadlines.\n * You use Managed Policies (because hey, why not) or you eyeball the names of the API calls and use wildcards instead so you can move on with your life.\n\nSuch a process is not ideal for security or for Infrastructure as Code developers. We need to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies. That's why I made this tool.\n\nPolicy Sentry allows users to create least-privilege IAM policies in a matter of seconds, rather than tediously writing IAM policies by hand. These policies are scoped down according to access levels and resources. In the case of a breach, this helps to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.\n\n**Before this tool, it could take hours to craft an IAM Policy with resource ARN constraints — but now it can take a matter of seconds**. This way, developers only have to determine the resources that they need to access, and **Policy Sentry abstracts the complexity of IAM policies** away from their development processes.\n\n### Writing Secure Policies based on Resource Constraints and Access Levels\n\nPolicy Sentry's flagship feature is that it can create IAM policies based on resource ARNs and access levels. Our CRUD functionality takes the opinionated approach that IAC developers shouldn't have to understand the complexities of AWS IAM - we should abstract the complexity for them. In fact, developers should just be able to say...\n\n* \"I need Read/Write/List access to `arn:aws:s3:::example-org-sbx-vmimport`\"\n* \"I need Permissions Management access to `arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret`\"\n* \"I need Tagging access to `arn:aws:ssm:us-east-1:123456789012:parameter/test`\"\n\n...and our automation should create policies that correspond to those access levels.\n\nHow do we accomplish this? Well, Policy Sentry leverages the AWS documentation on [Actions, Resources, and Condition Keys][1] documentation to look up the actions, access levels, and resource types, and generates policies according to the ARNs and access levels. Consider the table snippet below:\n\n\u003ctable class=\"tg\"\u003e\n  \u003ctr\u003e\n    \u003cth class=\"tg-fymr\"\u003eActions\u003c/th\u003e\n    \u003cth class=\"tg-fymr\"\u003eAccess Level\u003c/th\u003e\n    \u003cth class=\"tg-fymr\"\u003eResource Types\u003c/th\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd class=\"tg-0pky\"\u003essm:GetParameter\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eRead\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eparameter\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd class=\"tg-0pky\"\u003essm:DescribeParameters\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eList\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eparameter\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd class=\"tg-0pky\"\u003essm:PutParameter\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eWrite\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eparameter\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd class=\"tg-0pky\"\u003esecretsmanager:PutResourcePolicy\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003ePermissions management\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003esecret\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd class=\"tg-0pky\"\u003esecretsmanager:TagResource\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003eTagging\u003c/td\u003e\n    \u003ctd class=\"tg-0pky\"\u003esecret\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\nPolicy Sentry aggregates all of that documentation into a single database and uses that database to generate policies according to actions, resources, and access levels.\n\n## Tutorial\n\n\n### Installation\n\n#### Package managers\n\n* Homebrew\n\n```bash\nbrew tap salesforce/policy_sentry https://github.com/salesforce/policy_sentry\nbrew install policy_sentry\n```\n\n* Pip\n\n```bash\npip3 install --user policy_sentry\n```\n\n#### Shell completion\n\nTo enable Bash completion, put this in your `.bashrc`:\n\n```bash\neval \"$(_POLICY_SENTRY_COMPLETE=bash_source policy_sentry)\"\n```\n\nTo enable ZSH completion, put this in your `.zshrc`:\n\n```\neval \"$(_POLICY_SENTRY_COMPLETE=zsh_source policy_sentry)\"\n```\n\n### Step 1: Create the Template\n\n* To generate a policy according to resources and access levels, start by\ncreating a template with this command so you can just fill out the ARNs:\n\n```bash\npolicy_sentry create-template --output-file crud.yml --template-type crud\n```\n\n* It will generate a file like this:\n\n```yaml\nmode: crud\nname: ''\n# Specify resource ARNs\nread:\n- ''\nwrite:\n- ''\nlist:\n- ''\ntagging:\n- ''\npermissions-management:\n- ''\n# Actions that do not support resource constraints\nwildcard-only:\n  single-actions: # standalone actions\n  - ''\n  # Service-wide - like 's3' or 'ec2'\n  service-read:\n  - ''\n  service-write:\n  - ''\n  service-list:\n  - ''\n  service-tagging:\n  - ''\n  service-permissions-management:\n  - ''\n# Skip resource constraint requirements by listing actions here.\nskip-resource-constraints:\n- ''\n# Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete*\nexclude-actions:\n- ''\n# If this policy needs to include an AssumeRole action\nsts:\n  assume-role:\n    - ''\n  assume-role-with-saml:\n    - ''\n  assume-role-with-web-identity:\n    - ''\n```\n\n### Step 2: Copy/paste ARNs\n\n* Copy/paste the ARNs you want to include in your policy. You can delete lines that you don't use, or just leave them there.\n\n```yaml\nmode: crud\nread:\n- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'\nwrite:\n- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'\nlist:\n- 'arn:aws:ssm:us-east-1:123456789012:parameter/myparameter'\ntagging:\n- 'arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret'\npermissions-management:\n- 'arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret'\n```\n\n### Step 3: Write-policy command\n\n* Then run this command:\n\n```bash\npolicy_sentry write-policy --input-file crud.yml\n```\n\n* It will generate these results:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"SsmReadParameter\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ssm:GetParameter\",\n                \"ssm:GetParameterHistory\",\n                \"ssm:GetParameters\",\n                \"ssm:GetParametersByPath\",\n                \"ssm:ListTagsForResource\"\n            ],\n            \"Resource\": [\n                \"arn:aws:ssm:us-east-1:123456789012:parameter/myparameter\"\n            ]\n        },\n        {\n            \"Sid\": \"SsmWriteParameter\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"ssm:DeleteParameter\",\n                \"ssm:DeleteParameters\",\n                \"ssm:LabelParameterVersion\",\n                \"ssm:PutParameter\"\n            ],\n            \"Resource\": [\n                \"arn:aws:ssm:us-east-1:123456789012:parameter/myparameter\"\n            ]\n        },\n        {\n            \"Sid\": \"SecretsmanagerPermissionsmanagementSecret\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"secretsmanager:DeleteResourcePolicy\",\n                \"secretsmanager:PutResourcePolicy\"\n            ],\n            \"Resource\": [\n                \"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret\"\n            ]\n        },\n        {\n            \"Sid\": \"SecretsmanagerTaggingSecret\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"secretsmanager:TagResource\",\n                \"secretsmanager:UntagResource\"\n            ],\n            \"Resource\": [\n                \"arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret\"\n            ]\n        }\n    ]\n}\n```\n\nNotice how the policy above recognizes the ARNs that the user supplies, along with the requested access level. For instance, the SID `SecretsmanagerTaggingSecret` contains Tagging actions that are assigned to the secret resource type only.\n\nThis rapidly speeds up the time to develop IAM policies, and ensures that all policies created limit access to exactly what your role needs access to. This way, developers only have to determine the resources that they need to access, and we abstract the complexity of IAM policies away from their development processes.\n\n## Cheat sheets\n\n### Policy Writing cheat sheet\n\n```bash\n# Create templates first!!! This way you can just paste the values you need rather than remembering the YAML format\n# CRUD mode\npolicy_sentry create-template --output-file tmp.yml --template-type crud\n# Actions mode\npolicy_sentry create-template --output-file tmp.yml --template-type actions\n\n# Write policy based on resource-specific access levels\npolicy_sentry write-policy --input-file examples/yml/crud.yml\n\n# Write policy based on a list of actions\npolicy_sentry write-policy --input-file examples/yml/actions.yml\n```\n\n### IAM Database Query Cheat Sheet\n\n```bash\n\n###############\n# Actions Table\n###############\n# NOTE: Use --fmt yaml or --fmt json to change the output format. Defaults to json for querying\n\n# Get a list of actions that do not support resource constraints\npolicy_sentry query action-table --service s3 --resource-type \"*\" --fmt yaml\n\n# Get a list of actions at the \"Write\" level in S3 that do not support resource constraints\npolicy_sentry query action-table --service s3 --access-level write --resource-type \"*\" --fmt yaml\n\n# Get a list of all IAM actions across ALL services that have \"Permissions management\" access\npolicy_sentry query action-table --service all --access-level permissions-management\n\n# Get a list of all IAM Actions available to the RAM service\npolicy_sentry query action-table --service ram\n\n# Get details about the `ram:TagResource` IAM Action\npolicy_sentry query action-table --service ram --name tagresource\n\n# Get a list of all IAM actions under the RAM service that have the Permissions management access level.\npolicy_sentry query action-table --service ram --access-level permissions-management\n\n# Get a list of all IAM actions under the SES service that support the `ses:FeedbackAddress` condition key.\npolicy_sentry query action-table --service ses --condition ses:FeedbackAddress\n\n###########\n# ARN Table\n###########\n\n# Get a list of all RAW ARN formats available through the SSM service.\npolicy_sentry query arn-table --service ssm\n\n# Get the raw ARN format for the `cloud9` ARN with the short name `environment`\npolicy_sentry query arn-table --service cloud9 --name environment\n\n# Get key/value pairs of all RAW ARN formats plus their short names\npolicy_sentry query arn-table --service cloud9 --list-arn-types\n\n######################\n# Condition Keys Table\n######################\n\n# Get a list of all condition keys available to the Cloud9 service\npolicy_sentry query condition-table --service cloud9\n\n# Get details on the condition key titled `cloud9:Permissions`\npolicy_sentry query condition-table --service cloud9 --name cloud9:Permissions\n```\n\n### Local Initialization (Optional)\n\n```bash\n# Initialize the policy_sentry config folder and create the IAM database tables.\npolicy_sentry initialize\n\n# Fetch the most recent version of the AWS documentation so you can experiment with new services.\npolicy_sentry initialize --fetch\n\n# Override the Access Levels by specifying your own Access Levels (example:, correcting Permissions management levels)\npolicy_sentry initialize --access-level-overrides-file ~/.policy_sentry/overrides-resource-policies.yml\n\npolicy_sentry initialize --access-level-overrides-file ~/.policy_sentry/access-level-overrides.yml\n```\n\n## Other Usage\n\n### Commands\n\n* `create-template`: Creates the YML file templates for use in the `write-policy` command types.\n\n* `write-policy`: Leverage a YAML file to write policies for you\n  - Option 1: Specify CRUD levels (Read, Write, List, Tagging, or Permissions management) and the ARN of the resource. It will write this for you. See the [documentation][13]\n  - Option 2: Specify a list of actions. It will write the IAM Policy for you, but you will have to fill in the ARNs. See the [documentation][14].\n\n* `query`: Query the IAM database tables. This can help when filling out the Policy Sentry templates, or just querying the database for quick knowledge.\n  - Option 1: Query the Actions Table (`action-table`)\n  - Option 2: Query the ARNs Table (`arn-table`)\n  - Option 3: Query the Conditions Table (`condition-table`)\n\n* `initialize`: (Optional). Create a SQLite database that contains all of the services available through the [Actions, Resources, and Condition Keys documentation][1]. See the [documentation][12].\n\n### Python Library usage\n\nIf you are developing your own Python code and you want to import Policy Sentry as a third party package, you can skip the initialization and leverage the local database file that is bundled with the Python package itself.\n\nThis is especially useful for developers who wish to leverage Policy Sentry’s capabilities that require the use of the IAM database (such as querying the IAM database table). This way, you don’t have to initialize the database and can just query it immediately.\n\nThe code example is located [here](https://github.com/salesforce/policy_sentry/blob/master/examples/library-usage/example.py). It is also shown below.\n\n```python\nfrom policy_sentry.querying.actions import get_actions_for_service\n\n\ndef example():\n    actions = get_actions_for_service('cloud9')  # Then you can leverage any method that requires access to the database.\n    for action in actions:\n        print(action)\n\nif __name__ == '__main__':\n    example()\n```\n\nThe results will look like:\n\n```\ncloud9:CreateEnvironmentEC2\ncloud9:CreateEnvironmentMembership\ncloud9:DeleteEnvironment\ncloud9:DeleteEnvironmentMembership\ncloud9:DescribeEnvironmentMemberships\ncloud9:DescribeEnvironmentStatus\ncloud9:DescribeEnvironments\ncloud9:GetUserSettings\ncloud9:ListEnvironments\ncloud9:ListTagsForResource\ncloud9:TagResource\ncloud9:UntagResource\ncloud9:UpdateEnvironment\ncloud9:UpdateEnvironmentMembership\ncloud9:UpdateUserSettings\n```\n\n### Docker\n\nIf you prefer using Docker instead of installing the script with Python, we support that as well. From the root of the repository, use this to build the docker image:\n\n```bash\ndocker build -t kmcquade/policy_sentry .\n```\n\nUse this to run some basic commands:\n\n```bash\n# Basic commands with no arguments\ndocker run -i --rm kmcquade/policy_sentry:latest \"--help\"\ndocker run -i --rm kmcquade/policy_sentry:latest \"query\"\n\n# Query the database\ndocker run -i --rm kmcquade/policy_sentry:latest \"query action-table --service all --access-level permissions-management\"\n```\n\nThe `write-policy` command also supports passing in the YML config via STDIN. If you are using the docker method, try it out here:\n\n```bash\n# Write policies by passing in the config via STDIN\ncat examples/yml/crud.yml | docker run -i --rm kmcquade/policy_sentry:latest \"write-policy\"\n\ncat examples/yml/actions.yml | docker run -i --rm kmcquade/policy_sentry:latest \"write-policy\"\n```\n\n### Terraform\n\nThe Terraform module is published and maintained [here](https://github.com/salesforce/policy_sentry/tree/master/terraform_module).\n\n## References\n\n* The document scraping process was inspired and borrowed from a similar [ansible hacking script][3].\n* [Identity-Based vs Resource-based policies][5]\n* [Actions, Resources, and Condition Keys for AWS Services][7]\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html\n[2]: https://nose.readthedocs.io/en/latest/\n[3]: https://github.com/ansible/ansible/blob/stable-2.9/hacking/aws_config/build_iam_policy_framework.py\n[4]: https://github.com/evilpete/aws_access_adviser\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html\n[8]: https://docs.aws.amazon.com/awssupport/latest/user/Welcome.html\n[9]: https://docs.aws.amazon.com/signer/latest/api/Welcome.html\n[10]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/permissions-reference-cwe.html\n[11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys\n[12]: https://policy-sentry.readthedocs.io/en/latest/user-guide/initialize.html\n[13]: https://policy-sentry.readthedocs.io/en/latest/user-guide/write-policy.html#crud-mode-arns-and-access-levels\n[14]: https://policy-sentry.readthedocs.io/en/latest/user-guide/write-policy.html#actions-mode-lists-of-iam-actions\n[15]: https://policy-sentry.readthedocs.io/en/latest/user-guide/write-policy.html#folder-mode-write-multiple-policies-from-crud-mode-files\n\n","funding_links":[],"categories":["Generators","\u003ca id=\"7e840ca27f1ff222fd25bc61a79b07ba\"\u003e\u003c/a\u003e特定目标","AWS","Python","SaaS","Identity and access management","Other Awesome Lists","Control Your Own Destiny","\u003ca id=\"c71ad1932bbf9c908af83917fe1fd5da\"\u003e\u003c/a\u003eAWS","Authorization","Tools"],"sub_categories":["\u003ca id=\"c71ad1932bbf9c908af83917fe1fd5da\"\u003e\u003c/a\u003eAWS","Hook management tools","Least privilege","Infrastructure As Code","\u003ca id=\"0476f6b97e87176da0a0d7328f8747e7\"\u003e\u003c/a\u003eblog","AWS policy tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforce%2Fpolicy_sentry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalesforce%2Fpolicy_sentry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalesforce%2Fpolicy_sentry/lists"}