CLI utility for policy normalization?

[ossek]

This may be more of a feature request, but reading through this:
https://steampipe.io/blog/normalizing-aws-iam-policies-for-automated-analysis

I had hoped there would be a relatively straightforward way to use the canonicalPolicy function on a json string input to do policy normalization like Steampipe does, (and then perhaps print out the normalized json).

However, it does not seem so straightforward given that this func is not exported. Is there any plan to incorporate this functionality into a CLI or make the function exportable? The idea perhaps being that one could chain a jq call with canonicalPolicy to normalize policies while they're works-in-progress, or even incorporate into a build pipeline to normalize at build time.

Thanks!

[e-gineer]

Interesting ... so your goal in this case is not to query an existing policy in AWS, but instead to run a policy you are writing through the function to canonicalize it?

One approach we could take would be to build a special table e.g. aws_iam_policy_linter which has an input column that takes a policy string and an std_policy column that outputs the canonicalized policy. It would then be used with something like select policy_std from aws_iam_policy_linter where input = '{ ... your policy ... }'.

Would that suit your use case? Would you mind expanding more on what you are looking to do here?

[ossek]

Thanks, yes, that is the goal. Or to canonicalize already-written policies for analysis with tools beyond steampipe. For example, this could get one step closer to comparing side-by-side two policies pulled from git repos in a diff tool like vimdiff or beyond compare. (The next step would involve some sort of IAM json sort utility which I'm not expecting to find here).

I was wondering about something that wouldn't necessarily involve postgres at all, but a simple command line utility.

I'd envision something ad-hoc like cat mypolicy.json | canonicalPolicy > mypolicy_normalized.json and could perhaps be added as a line in a CI job that updates the policy, after a utility like cfn-lint or cfn-nag.

I realize the function operates on policy strings, not whole cloudformation templates, so there may be a bit more to it. At the very least something like cat mypolicy.json | jq '.myPolicy | canonicalPolicy > mypolicy_normalized_for_reinsertion_into_cfn_or_terraform.json`

I'm also assuming the normalized policy can be written back out to valid json, which is perhaps not a valid assumption...

Does this make sense?

[ossek]

Hi there, just wanted to check if I could add any other helpful info here. Thanks!

[e-gineer]

Hey @ossek ... your description is clear, thank you. Our priority right now is on the SQL querying, control running etc rather than a specific CLI tool. But, I do think your described approach is a good idea!