Crate aws-iam

A Rust crate for dealing with AWS IAM Policy resources.

Model

For the most part importing aws_iam::model provides the core types necessary to programmatically create Policy documents. You can also import aws_iam::model::builder to use a more fluent interface to construct Policies. The aws_iam::io module provides simple read and write functions, the write functions producing pretty printed JSON output.

The aws_iam::report module provides a set of traits that allow for visiting a Policy model, and implementations of these that write formatted versions of a Policy as documentation.

Example

```rust use awsiam::model::*; use awsiam::io::writetowriter; use std::io::stdout;

let policy: Policy = PolicyBuilder::new() .named("confidential-data-access") .evaluatestatement( StatementBuilder::new() .autonamed() .allows() .unspecifiedprincipals() .mayperformactions(vec!["s3:List*", "s3:Get*"]) .onresources(vec![ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*", ]) .ifcondition( ConditionBuilder::newbool() .righthandbool("aws:MultiFactorAuthPresent", true) .ifexists(), ), ) .into(); writeto_writer(stdout(), &policy); ```

Results in the following JSON.

json { "Id": "confidential-data-access", "Statement": { "Sid": "sid_e4d7f2d3-cfed-4346-9c5e-a8e9e38ef44f", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ], "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "true" } } } }

policy Command-Line Tool

The policy tool provides some very basic policy resource operations. The most valuable of these is verify which will read a file, parse it and produce a formatted output. This output can be a documentation form which is useful for describing common policies.

```bash $ policy -h policy 0.2.0

USAGE: policy [FLAGS]

FLAGS: -h, --help Prints help information -V, --version Prints version information -v, --verbose The level of logging to perform, from off to trace

SUBCOMMANDS: help Prints this message or the help of the given subcommand(s) new Create a new default policy document verify Verify an existing policy document ```

For example, given the following JSON policy:

json { "Version": "2012-10-17", "Statement": [{ "Sid": "DenyAllUsersNotUsingMFA", "Effect": "Deny", "NotAction": "iam:*", "Resource": "*", "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}} }] }

the command policy verify -f markdown will produce the output between the following lines.

Policy

IAM Policy Version: 2012-10-17

Statement

Statement ID: DenyAllUsersNotUsingMFA

DENY IF

• ActionNOT= "iam:*"
• Resource = "*"
• ConditionIF EXISTSaws:MultiFactorAuthPresentTHEN

  * aws:MultiFactorAuthPresentBool"false"

Changes

Version 0.2.2

• Added implementations of common equality, ordering, and hashing traits (See Issue #19).

Version 0.2.1

• Fixing missing_docs warnings.
• Removed any_of(), condition_one(), and one() from builder, replaced with functions on Action, Principal, and Resource.

Version 0.2.0

• First commit to Crates.io.
• Completed markdown support for policy tool verification.
• Completed changes to the model to support NotAction, NotPrincipal, and NotResource.
• Filled obvious gaps in documentation.

Version 0.1.0

• Initial commit stream to Github from private project.
• Goal was to complete the existing model, documentation and add the policy tool.

TODO

1. Add Latex output to policy.