PolicyUniverse

1.5.1.20231109 · active · verified Tue Apr 14

PolicyUniverse, currently at version 1.5.1.20231109, is a Python library for parsing and processing AWS IAM Policies, Statements, ARNs, and wildcards. It provides classes to parse AWS IAM and Resource Policies, expand wildcards using AWS permission data, and minify policies to help users stay under AWS policy size limits. The project, open-sourced by Netflix-Skunkworks, sees releases as needed, with its latest update in November 2023.

Warnings

gotcha Minification of policies does not currently work on 'Deny' statements. Attempting to minify a policy with 'Deny' effects will raise an exception.
Fix: Ensure that policies intended for minification only contain 'Allow' effects, or handle 'Deny' statements separately.
gotcha While PolicyUniverse can minify policies to meet size limits, the resulting minified policies can be significantly less readable. It is recommended to avoid minification if possible, prioritizing human readability and maintainability.
Fix: Only use policy minification when strictly necessary to comply with AWS policy size constraints. Otherwise, manage policies in their more human-readable expanded form.

Install

pip install policyuniverse Install latest version

Imports

ARN
```
from policyuniverse.arn import ARN
```

Policy

from policyuniverse.policy import Policy

Statement
```
from policyuniverse.statement import Statement
```
Often used implicitly by Policy objects, but can be imported for direct use.

Quickstart

This example demonstrates how to parse an AWS IAM policy document using the `Policy` class, retrieve its principals, check for internet accessibility, and get a summary of actions.

from policyuniverse.policy import Policy

policy_document = {
    'Version': '2012-10-17',
    'Statement': [
        {
            'Effect': 'Allow',
            'Principal': 'arn:aws:iam::012345678910:root',
            'Action': ['s3:*'],
            'Resource': '*',
            'Condition': {
                'IpAddress': {
                    'AWS:SourceIP': ['0.0.0.0/0']
                }
            }
        },
        {
            'Effect': 'Allow',
            'Principal': 'arn:aws:iam::*:role/Hello',
            'Action': ['ec2:*'],
            'Resource': '*',
            'Condition': {
                'StringLike': {
                    'AWS:SourceOwner': '012345678910'
                }
            }
        }
    ]
}

policy = Policy(policy_document)

print(f"Policy principals: {policy.principals}")
print(f"Is internet accessible: {policy.is_internet_accessible()}")
print(f"Actions summary: {policy.action_summary()}")

view raw JSON →