MWAA/verify_env/verify_env.py [190:269]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "airflow:PublishMetrics" ], ResourceArns=[ input_env['Arn'] ] )['EvaluationResults'] # this next test should be denied eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "s3:ListAllMyBuckets" ], ResourceArns=[ input_env['SourceBucketArn'], input_env['SourceBucketArn'] + '/' ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], ResourceArns=[ input_env['SourceBucketArn'], input_env['SourceBucketArn'] + '/' ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents", "logs:GetLogEvents", "logs:GetLogGroupFields" ], ResourceArns=[ "arn:aws:logs:" + REGION + ":" + account_id + ":log-group:airflow-" + ENV_NAME + "-*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "logs:DescribeLogGroups" ], ResourceArns=[ "*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "cloudwatch:PutMetricData" ], ResourceArns=[ "*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:SendMessage" ], ResourceArns=[ "arn:aws:sqs:" + REGION + ":*:airflow-celery-*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MWAA/verify_env/verify_env.py [345:425]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "airflow:PublishMetrics" ], ResourceArns=[ input_env['Arn'] ] )['EvaluationResults'] # this action should be denied eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "s3:ListAllMyBuckets" ], ResourceArns=[ input_env['SourceBucketArn'], input_env['SourceBucketArn'] + '/' ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], ResourceArns=[ input_env['SourceBucketArn'], input_env['SourceBucketArn'] + '/' ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents", "logs:GetLogEvents", "logs:GetLogGroupFields" ], ResourceArns=[ "arn:aws:logs:" + REGION + ":" + account_id + ":log-group:airflow-" + ENV_NAME + "-*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "logs:DescribeLogGroups" ], ResourceArns=[ "*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "cloudwatch:PutMetricData" ], ResourceArns=[ "*" ] )['EvaluationResults'] eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage", "sqs:SendMessage" ], ResourceArns=[ "arn:aws:sqs:" + REGION + ":*:airflow-celery-*" ] )['EvaluationResults'] # tests role to allow any kms all for resources not in this account and that are from the sqs service eval_results = eval_results + iam_client.simulate_custom_policy( PolicyInputList=policy_list, ActionNames=[ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -