"""Test cases for aws cli.""" from __future__ import annotations import pytest from conftest import is_approved, needs_confirmation # # ========================================================================== # AWS CLI # ========================================================================== # TESTS = [ ("aws help", True), ("aws s3 help", True), ("aws ec2 help", True), ("aws s3 ls", True), ("aws ec2 describe-instances", True), ("aws --profile prod ec2 describe-instances", True), ("aws --region us-east-1 ec2 describe-instances", True), ("aws --output json s3 ls", True), ("aws --profile prod --region us-west-2 lambda list-functions", True), ("aws --endpoint-url http://localhost:4566 s3 ls", True), ("aws --no-cli-pager ec2 describe-instances", True), ("aws logs filter-log-events --log-group-name test", True), ("aws cloudtrail lookup-events", True), ("aws dynamodb batch-get-item --request-items file://items.json", True), ("aws dynamodb query --table-name mytable", True), ("aws dynamodb scan --table-name mytable", True), ("aws dynamodb transact-get-items --transact-items file://items.json", True), ("aws cloudformation validate-template --template-body file://t.yaml", True), # AWS - comprehensive coverage from tldr # aws sts - Security Token Service ("aws sts get-caller-identity", True), ("aws sts get-session-token", True), ("aws sts get-access-key-info --access-key-id AKIA...", True), ( "aws sts assume-role --role-arn arn:aws:iam::123:role/myrole --role-session-name sess", False, ), ( "aws sts assume-role-with-saml --role-arn arn --principal-arn arn --saml-assertion ...", False, ), # aws ec2 - Elastic Compute Cloud ("aws ec2 describe-instances", True), ("aws ec2 describe-instances --instance-ids i-123", True), ("aws ec2 describe-instances --filters Name=tag:Name,Values=myserver", True), ("aws ec2 describe-volumes", True), ("aws ec2 describe-volumes --volume-ids vol-123", True), ("aws ec2 describe-images", True), ("aws ec2 describe-images --owners self", True), ("aws ec2 describe-security-groups", True), ("aws ec2 describe-subnets", True), ("aws ec2 describe-vpcs", True), ("aws ec2 describe-key-pairs", True), ("aws ec2 describe-snapshots --owner-ids self", True), ("aws ec2 describe-availability-zones", True), ("aws ec2 describe-regions", True), ("aws ec2 describe-addresses", True), ("aws ec2 describe-network-interfaces", True), ("aws ec2 describe-route-tables", True), ("aws ec2 describe-internet-gateways", True), ("aws ec2 describe-nat-gateways", True), ("aws ec2 describe-launch-templates", True), ("aws ec2 get-console-output --instance-id i-123", True), ("aws ec2 get-password-data --instance-id i-123", True), ("aws ec2 run-instances --image-id ami-123 --instance-type t2.micro", False), ("aws ec2 start-instances --instance-ids i-123", False), ("aws ec2 stop-instances --instance-ids i-123", False), ("aws ec2 reboot-instances --instance-ids i-123", False), ("aws ec2 terminate-instances --instance-ids i-123", False), ("aws ec2 create-snapshot --volume-id vol-123", False), ("aws ec2 delete-snapshot --snapshot-id snap-123", False), ("aws ec2 delete-volume --volume-id vol-123", False), ("aws ec2 create-image --instance-id i-123 --name myami", False), ("aws ec2 create-key-pair --key-name mykey", False), ("aws ec2 delete-key-pair --key-name mykey", False), ("aws ec2 create-security-group --group-name mysg --description desc", False), ("aws ec2 delete-security-group --group-id sg-123", False), ( "aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 22 --cidr 0.0.0.0/0", False, ), ( "aws ec2 modify-instance-attribute --instance-id i-123 --instance-type t3.micro", False, ), # aws s3 - Simple Storage Service (high-level commands) ("aws s3 ls", True), ("aws s3 ls s3://mybucket", True), ("aws s3 ls s3://mybucket/prefix/", True), ("aws s3 ls s3://mybucket --recursive", True), ("aws s3 cp s3://src/file s3://dst/file", False), ("aws s3 cp localfile s3://bucket/file", False), ("aws s3 cp s3://bucket/file localfile", False), ("aws s3 mv s3://src/file s3://dst/file", False), ("aws s3 rm s3://bucket/file", False), ("aws s3 rm s3://bucket/ --recursive", False), ("aws s3 sync ./local s3://bucket", False), ("aws s3 sync s3://bucket ./local", False), ("aws s3 mb s3://newbucket", False), ("aws s3 rb s3://bucket", False), ("aws s3 rb s3://bucket --force", False), ("aws s3 presign s3://bucket/file", False), # generates URL but could leak ("aws s3 website s3://bucket --index-document index.html", False), # aws s3api - S3 API commands ("aws s3api list-buckets", True), ("aws s3api list-objects --bucket mybucket", True), ("aws s3api list-objects-v2 --bucket mybucket", True), ("aws s3api list-object-versions --bucket mybucket", True), ("aws s3api list-multipart-uploads --bucket mybucket", True), ("aws s3api get-bucket-location --bucket mybucket", True), ("aws s3api get-bucket-versioning --bucket mybucket", True), ("aws s3api get-bucket-acl --bucket mybucket", True), ("aws s3api get-bucket-policy --bucket mybucket", True), ("aws s3api get-bucket-logging --bucket mybucket", True), ("aws s3api get-bucket-encryption --bucket mybucket", True), ("aws s3api get-bucket-lifecycle-configuration --bucket mybucket", True), ("aws s3api get-bucket-tagging --bucket mybucket", True), ("aws s3api get-object --bucket mybucket --key mykey outfile", True), ("aws s3api get-object-acl --bucket mybucket --key mykey", True), ("aws s3api get-object-tagging --bucket mybucket --key mykey", True), ("aws s3api head-bucket --bucket mybucket", True), ("aws s3api head-object --bucket mybucket --key mykey", True), ("aws s3api put-object --bucket mybucket --key mykey --body file", False), ("aws s3api delete-object --bucket mybucket --key mykey", False), ("aws s3api delete-objects --bucket mybucket --delete file://delete.json", False), ("aws s3api create-bucket --bucket newbucket", False), ("aws s3api delete-bucket --bucket mybucket", False), ( "aws s3api put-bucket-policy --bucket mybucket --policy file://policy.json", False, ), ("aws s3api put-bucket-acl --bucket mybucket --acl public-read", False), # aws iam - Identity and Access Management ("aws iam list-users", True), ("aws iam list-groups", True), ("aws iam list-roles", True), ("aws iam list-policies", True), ("aws iam list-policies --scope Local", True), ("aws iam list-attached-user-policies --user-name myuser", True), ("aws iam list-attached-role-policies --role-name myrole", True), ("aws iam list-attached-group-policies --group-name mygroup", True), ("aws iam list-user-policies --user-name myuser", True), ("aws iam list-role-policies --role-name myrole", True), ("aws iam list-group-policies --group-name mygroup", True), ("aws iam list-access-keys", True), ("aws iam list-access-keys --user-name myuser", True), ("aws iam list-mfa-devices", True), ("aws iam list-mfa-devices --user-name myuser", True), ("aws iam list-account-aliases", True), ("aws iam list-instance-profiles", True), ("aws iam list-server-certificates", True), ("aws iam list-signing-certificates", True), ("aws iam list-ssh-public-keys", True), ("aws iam get-user", True), ("aws iam get-user --user-name myuser", True), ("aws iam get-group --group-name mygroup", True), ("aws iam get-role --role-name myrole", True), ("aws iam get-policy --policy-arn arn:aws:iam::123:policy/mypolicy", True), ("aws iam get-policy-version --policy-arn arn --version-id v1", True), ("aws iam get-account-summary", True), ("aws iam get-account-password-policy", True), ("aws iam get-account-authorization-details", True), ("aws iam get-credential-report", True), ("aws iam get-instance-profile --instance-profile-name myprofile", True), ("aws iam get-login-profile --user-name myuser", True), ("aws iam get-access-key-last-used --access-key-id AKIA...", True), ("aws iam generate-credential-report", True), ( "aws iam simulate-principal-policy --policy-source-arn arn --action-names s3:GetObject", True, ), ("aws iam create-user --user-name newuser", False), ("aws iam delete-user --user-name myuser", False), ("aws iam create-group --group-name newgroup", False), ("aws iam delete-group --group-name mygroup", False), ( "aws iam create-role --role-name newrole --assume-role-policy-document file://trust.json", False, ), ("aws iam delete-role --role-name myrole", False), ( "aws iam create-policy --policy-name newpolicy --policy-document file://policy.json", False, ), ("aws iam delete-policy --policy-arn arn", False), ("aws iam attach-user-policy --user-name myuser --policy-arn arn", False), ("aws iam detach-user-policy --user-name myuser --policy-arn arn", False), ("aws iam attach-role-policy --role-name myrole --policy-arn arn", False), ("aws iam detach-role-policy --role-name myrole --policy-arn arn", False), ("aws iam add-user-to-group --user-name myuser --group-name mygroup", False), ("aws iam remove-user-from-group --user-name myuser --group-name mygroup", False), ("aws iam create-access-key --user-name myuser", False), ("aws iam delete-access-key --access-key-id AKIA... --user-name myuser", False), ("aws iam update-access-key --access-key-id AKIA... --status Inactive", False), ("aws iam create-login-profile --user-name myuser --password pass", False), ("aws iam update-login-profile --user-name myuser --password newpass", False), ("aws iam delete-login-profile --user-name myuser", False), ("aws iam change-password --old-password old --new-password new", False), ( "aws iam put-user-policy --user-name myuser --policy-name pol --policy-document file://p.json", False, ), ( "aws iam put-role-policy --role-name myrole --policy-name pol --policy-document file://p.json", False, ), # aws lambda - Lambda Functions ("aws lambda list-functions", True), ("aws lambda list-functions --region us-east-1", True), ("aws lambda list-aliases --function-name myfunc", True), ("aws lambda list-versions-by-function --function-name myfunc", True), ("aws lambda list-event-source-mappings", True), ("aws lambda list-event-source-mappings --function-name myfunc", True), ("aws lambda list-layers", True), ("aws lambda list-layer-versions --layer-name mylayer", True), ("aws lambda list-tags --resource arn:aws:lambda:...", True), ("aws lambda get-function --function-name myfunc", True), ("aws lambda get-function-configuration --function-name myfunc", True), ("aws lambda get-function-concurrency --function-name myfunc", True), ("aws lambda get-function-url-config --function-name myfunc", True), ("aws lambda get-alias --function-name myfunc --name myalias", True), ("aws lambda get-policy --function-name myfunc", True), ("aws lambda get-account-settings", True), ("aws lambda get-layer-version --layer-name mylayer --version-number 1", True), ("aws lambda invoke --function-name myfunc response.json", False), ("aws lambda invoke --function-name myfunc --payload '{}' response.json", False), ( "aws lambda create-function --function-name newfunc --runtime python3.9 --role arn --handler handler.main --zip-file fileb://code.zip", False, ), ("aws lambda delete-function --function-name myfunc", False), ( "aws lambda update-function-code --function-name myfunc --zip-file fileb://code.zip", False, ), ( "aws lambda update-function-configuration --function-name myfunc --timeout 30", False, ), ("aws lambda publish-version --function-name myfunc", False), ( "aws lambda create-alias --function-name myfunc --name myalias --function-version 1", False, ), ("aws lambda delete-alias --function-name myfunc --name myalias", False), ( "aws lambda add-permission --function-name myfunc --statement-id stmt --action lambda:InvokeFunction --principal s3.amazonaws.com", False, ), ("aws lambda remove-permission --function-name myfunc --statement-id stmt", False), ( "aws lambda put-function-concurrency --function-name myfunc --reserved-concurrent-executions 10", False, ), # aws dynamodb - DynamoDB ("aws dynamodb list-tables", True), ("aws dynamodb list-tables --region us-east-1", True), ("aws dynamodb list-global-tables", True), ("aws dynamodb list-backups", True), ("aws dynamodb list-exports", True), ("aws dynamodb list-imports", True), ("aws dynamodb list-contributor-insights", True), ("aws dynamodb describe-table --table-name mytable", True), ("aws dynamodb describe-continuous-backups --table-name mytable", True), ("aws dynamodb describe-time-to-live --table-name mytable", True), ("aws dynamodb describe-limits", True), ("aws dynamodb describe-endpoints", True), ("aws dynamodb describe-backup --backup-arn arn", True), ("aws dynamodb describe-global-table --global-table-name mytable", True), ("aws dynamodb describe-global-table-settings --global-table-name mytable", True), ("aws dynamodb get-item --table-name mytable --key file://key.json", True), ("aws dynamodb batch-get-item --request-items file://items.json", True), ( "aws dynamodb query --table-name mytable --key-condition-expression 'pk = :pk' --expression-attribute-values file://vals.json", True, ), ("aws dynamodb scan --table-name mytable", True), ("aws dynamodb scan --table-name mytable --filter-expression 'attr > :val'", True), ("aws dynamodb transact-get-items --transact-items file://items.json", True), ( "aws dynamodb create-table --table-name newtable --attribute-definitions ... --key-schema ... --billing-mode PAY_PER_REQUEST", False, ), ("aws dynamodb delete-table --table-name mytable", False), ( "aws dynamodb update-table --table-name mytable --billing-mode PAY_PER_REQUEST", False, ), ("aws dynamodb put-item --table-name mytable --item file://item.json", False), ( "aws dynamodb update-item --table-name mytable --key file://key.json --update-expression 'SET attr = :val'", False, ), ("aws dynamodb delete-item --table-name mytable --key file://key.json", False), ("aws dynamodb batch-write-item --request-items file://items.json", False), ("aws dynamodb transact-write-items --transact-items file://items.json", False), ("aws dynamodb create-backup --table-name mytable --backup-name mybackup", False), ("aws dynamodb delete-backup --backup-arn arn", False), ( "aws dynamodb restore-table-from-backup --target-table-name newtable --backup-arn arn", False, ), # aws rds - Relational Database Service ("aws rds describe-db-instances", True), ("aws rds describe-db-instances --db-instance-identifier mydb", True), ("aws rds describe-db-clusters", True), ("aws rds describe-db-clusters --db-cluster-identifier mycluster", True), ("aws rds describe-db-snapshots", True), ("aws rds describe-db-snapshots --db-snapshot-identifier mysnap", True), ("aws rds describe-db-cluster-snapshots", True), ("aws rds describe-db-parameter-groups", True), ("aws rds describe-db-parameters --db-parameter-group-name mygroup", True), ("aws rds describe-db-subnet-groups", True), ("aws rds describe-db-security-groups", True), ("aws rds describe-db-engine-versions", True), ("aws rds describe-db-log-files --db-instance-identifier mydb", True), ("aws rds describe-events", True), ("aws rds describe-events --source-type db-instance", True), ("aws rds describe-reserved-db-instances", True), ("aws rds describe-orderable-db-instance-options --engine postgres", True), ("aws rds describe-account-attributes", True), ("aws rds describe-certificates", True), ("aws rds describe-pending-maintenance-actions", True), ("aws rds list-tags-for-resource --resource-name arn:aws:rds:...", True), ( "aws rds download-db-log-file-portion --db-instance-identifier mydb --log-file-name error.log", True, ), ( "aws rds create-db-instance --db-instance-identifier newdb --db-instance-class db.t3.micro --engine postgres", False, ), ("aws rds delete-db-instance --db-instance-identifier mydb", False), ( "aws rds delete-db-instance --db-instance-identifier mydb --skip-final-snapshot", False, ), ("aws rds start-db-instance --db-instance-identifier mydb", False), ("aws rds stop-db-instance --db-instance-identifier mydb", False), ("aws rds reboot-db-instance --db-instance-identifier mydb", False), ( "aws rds modify-db-instance --db-instance-identifier mydb --db-instance-class db.t3.medium", False, ), ( "aws rds modify-db-instance --db-instance-identifier mydb --apply-immediately", False, ), ( "aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mysnap", False, ), ("aws rds delete-db-snapshot --db-snapshot-identifier mysnap", False), ( "aws rds restore-db-instance-from-db-snapshot --db-instance-identifier newdb --db-snapshot-identifier mysnap", False, ), ( "aws rds create-db-cluster --db-cluster-identifier mycluster --engine aurora-postgresql", False, ), ("aws rds delete-db-cluster --db-cluster-identifier mycluster", False), # aws eks - Elastic Kubernetes Service ("aws eks list-clusters", True), ("aws eks list-nodegroups --cluster-name mycluster", True), ("aws eks list-fargate-profiles --cluster-name mycluster", True), ("aws eks list-addons --cluster-name mycluster", True), ("aws eks list-identity-provider-configs --cluster-name mycluster", True), ("aws eks list-updates --name mycluster", True), ("aws eks describe-cluster --name mycluster", True), ( "aws eks describe-nodegroup --cluster-name mycluster --nodegroup-name mynodegroup", True, ), ( "aws eks describe-fargate-profile --cluster-name mycluster --fargate-profile-name myprofile", True, ), ("aws eks describe-addon --cluster-name mycluster --addon-name vpc-cni", True), ("aws eks describe-addon-versions --addon-name vpc-cni", True), ("aws eks describe-update --name mycluster --update-id id", True), ( "aws eks describe-identity-provider-config --cluster-name mycluster --identity-provider-config type=oidc,name=myconfig", True, ), ( "aws eks create-cluster --name newcluster --role-arn arn --resources-vpc-config subnetIds=...", False, ), ("aws eks delete-cluster --name mycluster", False), ( "aws eks update-cluster-config --name mycluster --resources-vpc-config ...", False, ), ( "aws eks update-cluster-version --name mycluster --kubernetes-version 1.27", False, ), ("aws eks update-kubeconfig --name mycluster", False), ( "aws eks create-nodegroup --cluster-name mycluster --nodegroup-name newnodegroup --subnets ... --node-role arn", False, ), ( "aws eks delete-nodegroup --cluster-name mycluster --nodegroup-name mynodegroup", False, ), ("aws eks create-addon --cluster-name mycluster --addon-name vpc-cni", False), ("aws eks delete-addon --cluster-name mycluster --addon-name vpc-cni", False), # aws ecr - Elastic Container Registry ("aws ecr describe-repositories", True), ("aws ecr describe-repositories --repository-names myrepo", True), ("aws ecr describe-images --repository-name myrepo", True), ( "aws ecr describe-image-scan-findings --repository-name myrepo --image-id imageTag=latest", True, ), ("aws ecr list-images --repository-name myrepo", True), ("aws ecr list-tags-for-resource --resource-arn arn", True), ("aws ecr get-repository-policy --repository-name myrepo", True), ("aws ecr get-lifecycle-policy --repository-name myrepo", True), ("aws ecr get-lifecycle-policy-preview --repository-name myrepo", True), ("aws ecr get-login-password", True), ("aws ecr get-login-password --region us-east-1", True), ("aws ecr get-authorization-token", True), ( "aws ecr batch-get-image --repository-name myrepo --image-ids imageTag=latest", True, ), ("aws ecr create-repository --repository-name newrepo", False), ("aws ecr delete-repository --repository-name myrepo", False), ("aws ecr delete-repository --repository-name myrepo --force", False), ( "aws ecr put-image --repository-name myrepo --image-manifest file://manifest.json", False, ), ( "aws ecr batch-delete-image --repository-name myrepo --image-ids imageTag=latest", False, ), ( "aws ecr put-lifecycle-policy --repository-name myrepo --lifecycle-policy-text file://policy.json", False, ), ( "aws ecr set-repository-policy --repository-name myrepo --policy-text file://policy.json", False, ), ( "aws ecr start-image-scan --repository-name myrepo --image-id imageTag=latest", False, ), # aws cloudformation - CloudFormation ("aws cloudformation list-stacks", True), ("aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE", True), ("aws cloudformation list-stack-resources --stack-name mystack", True), ("aws cloudformation list-stack-sets", True), ("aws cloudformation list-exports", True), ("aws cloudformation list-imports --export-name myexport", True), ("aws cloudformation list-types", True), ("aws cloudformation list-change-sets --stack-name mystack", True), ("aws cloudformation describe-stacks", True), ("aws cloudformation describe-stacks --stack-name mystack", True), ("aws cloudformation describe-stack-events --stack-name mystack", True), ( "aws cloudformation describe-stack-resource --stack-name mystack --logical-resource-id myresource", True, ), ("aws cloudformation describe-stack-resources --stack-name mystack", True), ("aws cloudformation describe-stack-resource-drifts --stack-name mystack", True), ("aws cloudformation describe-stack-set --stack-set-name myset", True), ( "aws cloudformation describe-change-set --change-set-name mychangeset --stack-name mystack", True, ), ("aws cloudformation describe-type --type-name AWS::S3::Bucket", True), ("aws cloudformation get-stack-policy --stack-name mystack", True), ("aws cloudformation get-template --stack-name mystack", True), ("aws cloudformation get-template-summary --stack-name mystack", True), ("aws cloudformation detect-stack-drift --stack-name mystack", True), ( "aws cloudformation detect-stack-resource-drift --stack-name mystack --logical-resource-id res", True, ), ("aws cloudformation validate-template --template-body file://template.yaml", True), ( "aws cloudformation estimate-template-cost --template-body file://template.yaml", True, ), ( "aws cloudformation create-stack --stack-name newstack --template-body file://template.yaml", False, ), ("aws cloudformation delete-stack --stack-name mystack", False), ( "aws cloudformation update-stack --stack-name mystack --template-body file://template.yaml", False, ), ( "aws cloudformation execute-change-set --change-set-name mychangeset --stack-name mystack", False, ), ("aws cloudformation cancel-update-stack --stack-name mystack", False), ("aws cloudformation continue-update-rollback --stack-name mystack", False), ( "aws cloudformation create-change-set --stack-name mystack --change-set-name mychangeset --template-body file://t.yaml", False, ), ( "aws cloudformation delete-change-set --change-set-name mychangeset --stack-name mystack", False, ), ( "aws cloudformation signal-resource --stack-name mystack --logical-resource-id res --unique-id id --status SUCCESS", False, ), # aws logs - CloudWatch Logs ("aws logs describe-log-groups", True), ("aws logs describe-log-groups --log-group-name-prefix /aws/lambda", True), ("aws logs describe-log-streams --log-group-name mygroup", True), ( "aws logs describe-log-streams --log-group-name mygroup --order-by LastEventTime --descending", True, ), ("aws logs describe-metric-filters --log-group-name mygroup", True), ("aws logs describe-subscription-filters --log-group-name mygroup", True), ("aws logs describe-export-tasks", True), ("aws logs describe-queries", True), ("aws logs describe-query-definitions", True), ("aws logs describe-destinations", True), ("aws logs describe-resource-policies", True), ("aws logs filter-log-events --log-group-name mygroup", True), ( "aws logs filter-log-events --log-group-name mygroup --filter-pattern ERROR", True, ), ( "aws logs filter-log-events --log-group-name mygroup --start-time 1234567890000", True, ), ( "aws logs get-log-events --log-group-name mygroup --log-stream-name mystream", True, ), ("aws logs get-log-record --log-record-pointer ptr", True), ("aws logs get-query-results --query-id id", True), ( "aws logs start-query --log-group-name mygroup --start-time 0 --end-time 1 --query-string 'fields @message'", True, ), ("aws logs stop-query --query-id id", True), ("aws logs tail --log-group-name mygroup", True), ("aws logs tail --log-group-name mygroup --follow", True), ("aws logs create-log-group --log-group-name newgroup", False), ("aws logs delete-log-group --log-group-name mygroup", False), ( "aws logs create-log-stream --log-group-name mygroup --log-stream-name newstream", False, ), ( "aws logs delete-log-stream --log-group-name mygroup --log-stream-name mystream", False, ), ( "aws logs put-log-events --log-group-name mygroup --log-stream-name mystream --log-events ...", False, ), ( "aws logs put-retention-policy --log-group-name mygroup --retention-in-days 30", False, ), ("aws logs delete-retention-policy --log-group-name mygroup", False), ( "aws logs put-metric-filter --log-group-name mygroup --filter-name myfilter --filter-pattern ERROR --metric-transformations ...", False, ), ( "aws logs delete-metric-filter --log-group-name mygroup --filter-name myfilter", False, ), # aws cloudwatch - CloudWatch Metrics/Alarms ("aws cloudwatch list-metrics", True), ("aws cloudwatch list-metrics --namespace AWS/EC2", True), ("aws cloudwatch list-dashboards", True), ("aws cloudwatch list-tags-for-resource --resource-arn arn", True), ("aws cloudwatch describe-alarms", True), ("aws cloudwatch describe-alarms --alarm-names myalarm", True), ( "aws cloudwatch describe-alarms-for-metric --metric-name CPUUtilization --namespace AWS/EC2", True, ), ("aws cloudwatch describe-alarm-history --alarm-name myalarm", True), ("aws cloudwatch describe-anomaly-detectors", True), ("aws cloudwatch describe-insight-rules", True), ("aws cloudwatch get-dashboard --dashboard-name mydash", True), ( "aws cloudwatch get-metric-data --metric-data-queries file://queries.json --start-time 2023-01-01 --end-time 2023-01-02", True, ), ( "aws cloudwatch get-metric-statistics --namespace AWS/EC2 --metric-name CPUUtilization --start-time 2023-01-01 --end-time 2023-01-02 --period 3600 --statistics Average", True, ), ("aws cloudwatch get-metric-widget-image --metric-widget file://widget.json", True), ( "aws cloudwatch get-insight-rule-report --rule-name myrule --start-time 2023-01-01 --end-time 2023-01-02 --period 3600", True, ), ( "aws cloudwatch put-metric-alarm --alarm-name newalarm --metric-name CPUUtilization --namespace AWS/EC2 --threshold 80 --comparison-operator GreaterThanThreshold --evaluation-periods 2 --period 300 --statistic Average", False, ), ("aws cloudwatch delete-alarms --alarm-names myalarm", False), ( "aws cloudwatch put-dashboard --dashboard-name mydash --dashboard-body file://dash.json", False, ), ("aws cloudwatch delete-dashboards --dashboard-names mydash", False), ( "aws cloudwatch put-metric-data --namespace MyNamespace --metric-name MyMetric --value 1", False, ), ("aws cloudwatch enable-alarm-actions --alarm-names myalarm", False), ("aws cloudwatch disable-alarm-actions --alarm-names myalarm", False), ( "aws cloudwatch set-alarm-state --alarm-name myalarm --state-value OK --state-reason testing", False, ), # aws secretsmanager - Secrets Manager ("aws secretsmanager list-secrets", True), ("aws secretsmanager list-secrets --filters Key=name,Values=prod", True), ("aws secretsmanager list-secret-version-ids --secret-id mysecret", True), ("aws secretsmanager describe-secret --secret-id mysecret", True), ("aws secretsmanager get-resource-policy --secret-id mysecret", True), ( "aws secretsmanager get-secret-value --secret-id mysecret", False, ), # accessing secret data ( "aws secretsmanager get-secret-value --secret-id mysecret --version-stage AWSCURRENT", False, ), ( "aws secretsmanager create-secret --name newsecret --secret-string 'myvalue'", False, ), ("aws secretsmanager delete-secret --secret-id mysecret", False), ( "aws secretsmanager delete-secret --secret-id mysecret --force-delete-without-recovery", False, ), ( "aws secretsmanager update-secret --secret-id mysecret --secret-string 'newvalue'", False, ), ( "aws secretsmanager put-secret-value --secret-id mysecret --secret-string 'value'", False, ), ("aws secretsmanager rotate-secret --secret-id mysecret", False), ("aws secretsmanager restore-secret --secret-id mysecret", False), ( "aws secretsmanager tag-resource --secret-id mysecret --tags Key=env,Value=prod", False, ), ( "aws secretsmanager put-resource-policy --secret-id mysecret --resource-policy file://policy.json", False, ), # aws sqs - Simple Queue Service ("aws sqs list-queues", True), ("aws sqs list-queues --queue-name-prefix prod", True), ("aws sqs list-queue-tags --queue-url https://sqs...", True), ("aws sqs list-dead-letter-source-queues --queue-url https://sqs...", True), ("aws sqs get-queue-url --queue-name myqueue", True), ( "aws sqs get-queue-attributes --queue-url https://sqs... --attribute-names All", True, ), ("aws sqs receive-message --queue-url https://sqs...", True), ( "aws sqs receive-message --queue-url https://sqs... --max-number-of-messages 10", True, ), ("aws sqs create-queue --queue-name newqueue", False), ("aws sqs delete-queue --queue-url https://sqs...", False), ("aws sqs purge-queue --queue-url https://sqs...", False), ("aws sqs send-message --queue-url https://sqs... --message-body hello", False), ( "aws sqs send-message-batch --queue-url https://sqs... --entries file://entries.json", False, ), ( "aws sqs delete-message --queue-url https://sqs... --receipt-handle handle", False, ), ( "aws sqs delete-message-batch --queue-url https://sqs... --entries file://entries.json", False, ), ( "aws sqs set-queue-attributes --queue-url https://sqs... --attributes file://attrs.json", False, ), ( "aws sqs add-permission --queue-url https://sqs... --label perm --aws-account-ids 123 --actions SendMessage", False, ), ("aws sqs remove-permission --queue-url https://sqs... --label perm", False), ("aws sqs tag-queue --queue-url https://sqs... --tags env=prod", False), # aws sns - Simple Notification Service ("aws sns list-topics", True), ("aws sns list-subscriptions", True), ("aws sns list-subscriptions-by-topic --topic-arn arn", True), ("aws sns list-platform-applications", True), ( "aws sns list-endpoints-by-platform-application --platform-application-arn arn", True, ), ("aws sns list-phone-numbers-opted-out", True), ("aws sns list-origination-numbers", True), ("aws sns list-sms-sandbox-phone-numbers", True), ("aws sns list-tags-for-resource --resource-arn arn", True), ("aws sns get-topic-attributes --topic-arn arn", True), ("aws sns get-subscription-attributes --subscription-arn arn", True), ("aws sns get-sms-attributes", True), ("aws sns get-sms-sandbox-account-status", True), ("aws sns get-endpoint-attributes --endpoint-arn arn", True), ( "aws sns get-platform-application-attributes --platform-application-arn arn", True, ), ("aws sns get-data-protection-policy --resource-arn arn", True), ("aws sns check-if-phone-number-is-opted-out --phone-number +1234567890", True), ("aws sns create-topic --name newtopic", False), ("aws sns delete-topic --topic-arn arn", False), ( "aws sns subscribe --topic-arn arn --protocol email --notification-endpoint email@example.com", False, ), ("aws sns unsubscribe --subscription-arn arn", False), ("aws sns confirm-subscription --topic-arn arn --token token", False), ("aws sns publish --topic-arn arn --message hello", False), ("aws sns publish --phone-number +1234567890 --message hello", False), ( "aws sns set-topic-attributes --topic-arn arn --attribute-name DisplayName --attribute-value name", False, ), ( "aws sns set-subscription-attributes --subscription-arn arn --attribute-name RawMessageDelivery --attribute-value true", False, ), ( "aws sns add-permission --topic-arn arn --label perm --aws-account-id 123 --action-name Publish", False, ), ("aws sns remove-permission --topic-arn arn --label perm", False), ("aws sns tag-resource --resource-arn arn --tags Key=env,Value=prod", False), # aws kinesis - Kinesis Data Streams ("aws kinesis list-streams", True), ("aws kinesis list-shards --stream-name mystream", True), ("aws kinesis list-stream-consumers --stream-arn arn", True), ("aws kinesis list-tags-for-stream --stream-name mystream", True), ("aws kinesis describe-stream --stream-name mystream", True), ("aws kinesis describe-stream-summary --stream-name mystream", True), ( "aws kinesis describe-stream-consumer --stream-arn arn --consumer-name consumer", True, ), ("aws kinesis describe-limits", True), ( "aws kinesis get-shard-iterator --stream-name mystream --shard-id shardId-000 --shard-iterator-type TRIM_HORIZON", True, ), ("aws kinesis get-records --shard-iterator iter", True), ("aws kinesis create-stream --stream-name newstream --shard-count 1", False), ("aws kinesis delete-stream --stream-name mystream", False), ( "aws kinesis put-record --stream-name mystream --partition-key key --data data", False, ), ( "aws kinesis put-records --stream-name mystream --records file://records.json", False, ), ( "aws kinesis split-shard --stream-name mystream --shard-to-split shardId-000 --new-starting-hash-key 123", False, ), ( "aws kinesis merge-shards --stream-name mystream --shard-to-merge shardId-000 --adjacent-shard-to-merge shardId-001", False, ), ( "aws kinesis increase-stream-retention-period --stream-name mystream --retention-period-hours 48", False, ), ( "aws kinesis decrease-stream-retention-period --stream-name mystream --retention-period-hours 24", False, ), ( "aws kinesis register-stream-consumer --stream-arn arn --consumer-name consumer", False, ), ( "aws kinesis deregister-stream-consumer --stream-arn arn --consumer-name consumer", False, ), ( "aws kinesis update-shard-count --stream-name mystream --target-shard-count 2 --scaling-type UNIFORM_SCALING", False, ), # aws route53 - Route 53 DNS ("aws route53 list-hosted-zones", True), ("aws route53 list-hosted-zones-by-name", True), ("aws route53 list-resource-record-sets --hosted-zone-id Z123", True), ("aws route53 list-health-checks", True), ("aws route53 list-query-logging-configs", True), ("aws route53 list-traffic-policies", True), ("aws route53 list-traffic-policy-instances", True), ("aws route53 list-vpc-association-authorizations --hosted-zone-id Z123", True), ( "aws route53 list-tags-for-resource --resource-type hostedzone --resource-id Z123", True, ), ( "aws route53 list-tags-for-resources --resource-type hostedzone --resource-ids Z123", True, ), ("aws route53 list-reusable-delegation-sets", True), ("aws route53 list-geo-locations", True), ("aws route53 list-cidr-collections", True), ("aws route53 list-cidr-blocks --collection-id col", True), ("aws route53 list-cidr-locations --collection-id col", True), ("aws route53 get-hosted-zone --id Z123", True), ("aws route53 get-hosted-zone-count", True), ("aws route53 get-health-check --health-check-id hc123", True), ("aws route53 get-health-check-count", True), ("aws route53 get-health-check-status --health-check-id hc123", True), ("aws route53 get-health-check-last-failure-reason --health-check-id hc123", True), ("aws route53 get-geo-location --continent-code EU", True), ("aws route53 get-change --id C123", True), ("aws route53 get-checker-ip-ranges", True), ("aws route53 get-dns-sec --hosted-zone-id Z123", True), ("aws route53 get-query-logging-config --id qlc123", True), ("aws route53 get-reusable-delegation-set --id N123", True), ("aws route53 get-traffic-policy --id tp123 --version 1", True), ("aws route53 get-traffic-policy-instance --id tpi123", True), ("aws route53 get-traffic-policy-instance-count", True), ( "aws route53 test-dns-answer --hosted-zone-id Z123 --record-name example.com --record-type A", True, ), ("aws route53 create-hosted-zone --name example.com --caller-reference ref", False), ("aws route53 delete-hosted-zone --id Z123", False), ( "aws route53 change-resource-record-sets --hosted-zone-id Z123 --change-batch file://changes.json", False, ), ( "aws route53 create-health-check --caller-reference ref --health-check-config file://config.json", False, ), ("aws route53 delete-health-check --health-check-id hc123", False), ("aws route53 update-health-check --health-check-id hc123 --port 443", False), ( "aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z123 --vpc VPCRegion=us-east-1,VPCId=vpc-123", False, ), ( "aws route53 disassociate-vpc-from-hosted-zone --hosted-zone-id Z123 --vpc VPCRegion=us-east-1,VPCId=vpc-123", False, ), # aws cognito-idp - Cognito User Pools ("aws cognito-idp list-user-pools --max-results 10", True), ("aws cognito-idp list-users --user-pool-id us-east-1_abc123", True), ( "aws cognito-idp list-users --user-pool-id us-east-1_abc123 --filter 'email = \"user@example.com\"'", True, ), ("aws cognito-idp list-groups --user-pool-id us-east-1_abc123", True), ( "aws cognito-idp list-users-in-group --user-pool-id us-east-1_abc123 --group-name mygroup", True, ), ("aws cognito-idp list-user-pool-clients --user-pool-id us-east-1_abc123", True), ("aws cognito-idp list-identity-providers --user-pool-id us-east-1_abc123", True), ("aws cognito-idp list-resource-servers --user-pool-id us-east-1_abc123", True), ("aws cognito-idp list-tags-for-resource --resource-arn arn", True), ("aws cognito-idp describe-user-pool --user-pool-id us-east-1_abc123", True), ( "aws cognito-idp describe-user-pool-client --user-pool-id us-east-1_abc123 --client-id clientid", True, ), ( "aws cognito-idp describe-identity-provider --user-pool-id us-east-1_abc123 --provider-name Google", True, ), ( "aws cognito-idp describe-resource-server --user-pool-id us-east-1_abc123 --identifier myrs", True, ), ( "aws cognito-idp describe-user-import-job --user-pool-id us-east-1_abc123 --job-id jobid", True, ), ("aws cognito-idp get-user-pool-mfa-config --user-pool-id us-east-1_abc123", True), ( "aws cognito-idp get-group --user-pool-id us-east-1_abc123 --group-name mygroup", True, ), ("aws cognito-idp get-ui-customization --user-pool-id us-east-1_abc123", True), ("aws cognito-idp get-csv-header --user-pool-id us-east-1_abc123", True), ("aws cognito-idp get-signing-certificate --user-pool-id us-east-1_abc123", True), ( "aws cognito-idp admin-get-user --user-pool-id us-east-1_abc123 --username myuser", True, ), ( "aws cognito-idp admin-list-groups-for-user --user-pool-id us-east-1_abc123 --username myuser", True, ), ( "aws cognito-idp admin-list-user-auth-events --user-pool-id us-east-1_abc123 --username myuser", True, ), ( "aws cognito-idp admin-list-devices --user-pool-id us-east-1_abc123 --username myuser", True, ), ("aws cognito-idp create-user-pool --pool-name newpool", False), ("aws cognito-idp delete-user-pool --user-pool-id us-east-1_abc123", False), ( "aws cognito-idp update-user-pool --user-pool-id us-east-1_abc123 --auto-verified-attributes email", False, ), ( "aws cognito-idp admin-create-user --user-pool-id us-east-1_abc123 --username newuser", False, ), ( "aws cognito-idp admin-delete-user --user-pool-id us-east-1_abc123 --username myuser", False, ), ( "aws cognito-idp admin-set-user-password --user-pool-id us-east-1_abc123 --username myuser --password pass --permanent", False, ), ( "aws cognito-idp admin-confirm-sign-up --user-pool-id us-east-1_abc123 --username myuser", False, ), ( "aws cognito-idp admin-enable-user --user-pool-id us-east-1_abc123 --username myuser", False, ), ( "aws cognito-idp admin-disable-user --user-pool-id us-east-1_abc123 --username myuser", False, ), ( "aws cognito-idp admin-add-user-to-group --user-pool-id us-east-1_abc123 --username myuser --group-name mygroup", False, ), ( "aws cognito-idp admin-remove-user-from-group --user-pool-id us-east-1_abc123 --username myuser --group-name mygroup", False, ), ( "aws cognito-idp admin-reset-user-password --user-pool-id us-east-1_abc123 --username myuser", False, ), ( "aws cognito-idp create-group --user-pool-id us-east-1_abc123 --group-name newgroup", False, ), ( "aws cognito-idp delete-group --user-pool-id us-east-1_abc123 --group-name mygroup", False, ), # aws ssm - Systems Manager ("aws ssm list-commands", True), ("aws ssm list-command-invocations --command-id cmd123", True), ("aws ssm list-documents", True), ("aws ssm list-document-versions --name mydoc", True), ("aws ssm list-associations", True), ("aws ssm list-association-versions --association-id assoc123", True), ( "aws ssm list-inventory-entries --instance-id i-123 --type-name AWS:Application", True, ), ("aws ssm list-resource-compliance-summaries", True), ( "aws ssm list-compliance-items --resource-ids i-123 --resource-types ManagedInstance", True, ), ("aws ssm list-compliance-summaries", True), ( "aws ssm list-tags-for-resource --resource-type Document --resource-id mydoc", True, ), ("aws ssm describe-instance-information", True), ( "aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=i-123", True, ), ("aws ssm describe-parameters", True), ("aws ssm describe-document --name mydoc", True), ("aws ssm describe-automation-executions", True), ( "aws ssm describe-automation-step-executions --automation-execution-id exec123", True, ), ("aws ssm describe-maintenance-windows", True), ("aws ssm describe-maintenance-window-executions --window-id mw-123", True), ("aws ssm describe-patch-baselines", True), ("aws ssm describe-patch-groups", True), ("aws ssm describe-patch-group-state --patch-group mygroup", True), ("aws ssm describe-instance-patches --instance-id i-123", True), ("aws ssm describe-instance-patch-states --instance-ids i-123", True), ( "aws ssm describe-effective-patches-for-patch-baseline --baseline-id pb-123", True, ), ("aws ssm describe-ops-items", True), ("aws ssm describe-sessions --state Active", True), ("aws ssm get-parameter --name /my/param", True), ( "aws ssm get-parameter --name /my/param --with-decryption", False, ), # decryption could expose secrets ("aws ssm get-parameters --names /my/param1 /my/param2", True), ("aws ssm get-parameters --names /my/param1 --with-decryption", False), ("aws ssm get-parameters-by-path --path /my/path", True), ("aws ssm get-parameters-by-path --path /my/path --with-decryption", False), ("aws ssm get-parameter-history --name /my/param", True), ("aws ssm get-parameter-history --name /my/param --with-decryption", False), ("aws ssm get-document --name mydoc", True), ("aws ssm get-command-invocation --command-id cmd123 --instance-id i-123", True), ("aws ssm get-automation-execution --automation-execution-id exec123", True), ("aws ssm get-maintenance-window --window-id mw-123", True), ("aws ssm get-maintenance-window-execution --window-execution-id we-123", True), ("aws ssm get-patch-baseline --baseline-id pb-123", True), ("aws ssm get-ops-item --ops-item-id oi-123", True), ("aws ssm get-inventory-schema", True), ("aws ssm get-connection-status --target i-123", True), ("aws ssm put-parameter --name /my/param --value myvalue --type String", False), ( "aws ssm put-parameter --name /my/param --value myvalue --type SecureString", False, ), ("aws ssm delete-parameter --name /my/param", False), ("aws ssm delete-parameters --names /my/param1 /my/param2", False), ( "aws ssm send-command --instance-ids i-123 --document-name AWS-RunShellScript --parameters commands=ls", False, ), ("aws ssm start-automation-execution --document-name mydoc", False), ("aws ssm stop-automation-execution --automation-execution-id exec123", False), ("aws ssm cancel-command --command-id cmd123", False), ( "aws ssm create-document --name newdoc --content file://doc.json --document-type Command", False, ), ("aws ssm delete-document --name mydoc", False), ( "aws ssm update-document --name mydoc --content file://doc.json --document-version '$LATEST'", False, ), ("aws ssm start-session --target i-123", False), ("aws ssm terminate-session --session-id sess123", False), # aws configure - AWS CLI configuration (not the service) ("aws configure list", True), ("aws configure list-profiles", True), ("aws configure get region", True), ("aws configure get aws_access_key_id", True), ("aws configure set region us-east-1", False), ("aws configure set aws_access_key_id AKIA...", False), ("aws configure sso", False), ("aws configure sso-session", False), ("aws configure import --csv file://creds.csv", False), ("aws configure export-credentials", False), # aws athena - Interactive query service for S3 ("aws athena list-databases --catalog-name AwsDataCatalog", True), ("aws athena list-data-catalogs", True), ("aws athena list-engine-versions", True), ("aws athena list-named-queries", True), ("aws athena list-named-queries --work-group primary", True), ("aws athena list-query-executions", True), ("aws athena list-query-executions --work-group primary", True), ("aws athena list-prepared-statements --work-group primary", True), ("aws athena list-work-groups", True), ("aws athena list-table-metadata --catalog-name cat --database-name db", True), ("aws athena list-tags-for-resource --resource-arn arn:aws:athena:...", True), ("aws athena list-capacity-reservations", True), ("aws athena list-calculation-executions --session-id sess", True), ("aws athena list-executors --session-id sess", True), ("aws athena list-notebook-metadata --work-group primary", True), ("aws athena list-notebook-sessions --notebook-id nb", True), ("aws athena list-sessions --work-group primary --state-filter IDLE", True), ("aws athena list-application-dpu-sizes", True), ( "aws athena get-database --catalog-name AwsDataCatalog --database-name mydb", True, ), ("aws athena get-data-catalog --name AwsDataCatalog", True), ("aws athena get-named-query --named-query-id abc123", True), ( "aws athena get-prepared-statement --statement-name stmt --work-group primary", True, ), ("aws athena get-query-execution --query-execution-id abc123", True), ("aws athena get-query-results --query-execution-id abc123", True), ( "aws athena get-query-results --query-execution-id abc123 --max-results 100", True, ), ("aws athena get-query-runtime-statistics --query-execution-id abc123", True), ( "aws athena get-table-metadata --catalog-name cat --database-name db --table-name tbl", True, ), ("aws athena get-work-group --work-group primary", True), ("aws athena get-capacity-reservation --name myreservation", True), ( "aws athena get-capacity-assignment-configuration --capacity-reservation-name res", True, ), ("aws athena get-calculation-execution --calculation-execution-id calc", True), ("aws athena get-calculation-execution-code --calculation-execution-id calc", True), ( "aws athena get-calculation-execution-status --calculation-execution-id calc", True, ), ("aws athena get-notebook-metadata --notebook-id nb", True), ("aws athena get-session --session-id sess", True), ("aws athena get-session-status --session-id sess", True), ("aws athena batch-get-named-query --named-query-ids abc123 def456", True), ("aws athena batch-get-query-execution --query-execution-ids abc123 def456", True), ( "aws athena batch-get-prepared-statement --prepared-statement-names stmt1 stmt2 --work-group primary", True, ), # Athena start-query-execution - read-only SQL is approved ( "aws athena start-query-execution --query-string 'SELECT * FROM tbl' --work-group primary", True, ), ( "aws athena start-query-execution --query-string 'SELECT 1' --result-configuration OutputLocation=s3://bucket/", True, ), # Athena - read-only keywords ( "aws athena start-query-execution --query-string 'select * from foo'", True, ), # lowercase ("aws athena start-query-execution --query-string 'SHOW DATABASES'", True), ("aws athena start-query-execution --query-string 'SHOW TABLES'", True), ("aws athena start-query-execution --query-string 'SHOW PARTITIONS tbl'", True), ("aws athena start-query-execution --query-string 'DESCRIBE tbl'", True), ("aws athena start-query-execution --query-string 'DESCRIBE FORMATTED tbl'", True), ("aws athena start-query-execution --query-string 'EXPLAIN SELECT 1'", True), ( "aws athena start-query-execution --query-string 'EXPLAIN ANALYZE SELECT 1'", True, ), # Athena - WITH (CTE) followed by SELECT is read-only ( "aws athena start-query-execution --query-string 'WITH cte AS (SELECT 1) SELECT * FROM cte'", True, ), ( "aws athena start-query-execution --query-string ' WITH x AS (SELECT 1) SELECT * FROM x'", True, ), # Athena - comments before SELECT ("aws athena start-query-execution --query-string '-- comment\nSELECT 1'", True), ("aws athena start-query-execution --query-string '/* block */ SELECT 1'", True), ( "aws athena start-query-execution --query-string ' -- comment\n /* block */ SELECT 1'", True, ), # Athena - --query-string= syntax ( "aws athena start-query-execution --query-string=SELECT * FROM tbl --work-group primary", True, ), # Athena start-query-execution - DDL requires confirmation ( "aws athena start-query-execution --query-string 'CREATE TABLE foo (id INT)'", False, ), ( "aws athena start-query-execution --query-string 'CREATE EXTERNAL TABLE foo (id INT)'", False, ), ( "aws athena start-query-execution --query-string 'CREATE TABLE foo AS SELECT 1'", False, ), # CTAS ( "aws athena start-query-execution --query-string 'ALTER TABLE foo ADD COLUMNS (bar STRING)'", False, ), ("aws athena start-query-execution --query-string 'DROP TABLE foo'", False), ("aws athena start-query-execution --query-string 'DROP DATABASE mydb'", False), ("aws athena start-query-execution --query-string 'TRUNCATE TABLE foo'", False), ("aws athena start-query-execution --query-string 'MSCK REPAIR TABLE foo'", False), # Athena start-query-execution - DML requires confirmation ( "aws athena start-query-execution --query-string 'INSERT INTO foo SELECT * FROM bar'", False, ), ( "aws athena start-query-execution --query-string 'INSERT INTO foo VALUES (1, 2)'", False, ), ( "aws athena start-query-execution --query-string 'DELETE FROM foo WHERE id = 1'", False, ), ("aws athena start-query-execution --query-string 'UPDATE foo SET bar = 1'", False), ( "aws athena start-query-execution --query-string 'MERGE INTO foo USING bar ON ...'", False, ), # Athena start-query-execution - other mutations ("aws athena start-query-execution --query-string 'VACUUM foo'", False), ( "aws athena start-query-execution --query-string 'UNLOAD (SELECT * FROM foo) TO s3://bucket/'", False, ), ( "aws athena start-query-execution --query-string 'GRANT SELECT ON foo TO user'", False, ), ( "aws athena start-query-execution --query-string 'REVOKE SELECT ON foo FROM user'", False, ), # Athena start-query-execution - WITH followed by INSERT is NOT read-only ( "aws athena start-query-execution --query-string 'WITH cte AS (SELECT 1) INSERT INTO foo SELECT * FROM cte'", False, ), # Athena start-query-execution - unknown/unparseable requires confirmation ("aws athena start-query-execution --query-string 'CALL some_procedure()'", False), ("aws athena start-query-execution --query-string ''", False), # empty ("aws athena start-query-execution --query-string ' '", False), # whitespace only ("aws athena start-query-execution --query-string '-- just a comment'", False), # Athena start-query-execution - no query string provided ("aws athena start-query-execution --work-group primary", False), # Athena - other mutations require confirmation ("aws athena stop-query-execution --query-execution-id abc123", False), ( "aws athena start-session --work-group primary --engine-configuration file://config.json", False, ), ( "aws athena start-calculation-execution --session-id sess --code-block 'print(1)'", False, ), ("aws athena stop-calculation-execution --calculation-execution-id calc", False), ("aws athena terminate-session --session-id sess", False), ("aws athena create-work-group --name newworkgroup", False), ("aws athena delete-work-group --work-group myworkgroup", False), ("aws athena update-work-group --work-group myworkgroup --state ENABLED", False), ( "aws athena create-named-query --name myquery --database mydb --query-string 'SELECT 1'", False, ), ("aws athena delete-named-query --named-query-id abc123", False), ( "aws athena create-prepared-statement --statement-name stmt --work-group primary --query-statement 'SELECT ?'", False, ), ( "aws athena delete-prepared-statement --statement-name stmt --work-group primary", False, ), ( "aws athena update-prepared-statement --statement-name stmt --work-group primary --query-statement 'SELECT ?'", False, ), ( "aws athena create-data-catalog --name mycat --type HIVE --parameters metadata-function=...", False, ), ("aws athena delete-data-catalog --name mycat", False), ("aws athena update-data-catalog --name mycat --type HIVE", False), ("aws athena create-notebook --work-group primary --name mynotebook", False), ("aws athena delete-notebook --notebook-id nb", False), ("aws athena update-notebook --notebook-id nb --payload file://nb.json", False), ("aws athena update-notebook-metadata --notebook-id nb --name newname", False), ( "aws athena import-notebook --work-group primary --name imported --payload file://nb.json", False, ), ("aws athena export-notebook --notebook-id nb", False), ("aws athena create-capacity-reservation --name myres --target-dpus 24", False), ("aws athena cancel-capacity-reservation --name myres", False), ("aws athena delete-capacity-reservation --name myres", False), ("aws athena update-capacity-reservation --name myres --target-dpus 48", False), ( "aws athena put-capacity-assignment-configuration --capacity-reservation-name res --capacity-assignments file://a.json", False, ), ( "aws athena tag-resource --resource-arn arn:aws:athena:... --tags Key=env,Value=prod", False, ), ( "aws athena untag-resource --resource-arn arn:aws:athena:... --tag-keys env", False, ), # aws help ("aws help", True), ("aws ec2 help", True), ("aws ec2 describe-instances help", True), ("aws s3 help", True), ("aws iam help", True), ] @pytest.mark.parametrize("command,expected", TESTS) def test_aws(check, command: str, expected: bool) -> None: """Test command safety.""" result = check(command) if expected: assert is_approved(result), f"Expected approved for: {command}" else: assert needs_confirmation(result), f"Expected confirmation for: {command}" # Athena description tests - verify reason messages include SQL classification ATHENA_DESCRIPTION_TESTS = [ # Read-only queries show (read-only) ("aws athena start-query-execution --query-string 'SELECT 1'", "(read-only)"), ("aws athena start-query-execution --query-string 'SHOW TABLES'", "(read-only)"), ("aws athena start-query-execution --query-string 'DESCRIBE foo'", "(read-only)"), ( "aws athena start-query-execution --query-string 'EXPLAIN SELECT 1'", "(read-only)", ), ( "aws athena start-query-execution --query-string 'WITH x AS (SELECT 1) SELECT * FROM x'", "(read-only)", ), # Write queries show (write) ( "aws athena start-query-execution --query-string 'INSERT INTO foo VALUES (1)'", "(write)", ), ( "aws athena start-query-execution --query-string 'CREATE TABLE foo (id INT)'", "(write)", ), ("aws athena start-query-execution --query-string 'DROP TABLE foo'", "(write)"), ("aws athena start-query-execution --query-string 'DELETE FROM foo'", "(write)"), ( "aws athena start-query-execution --query-string 'WITH x AS (SELECT 1) INSERT INTO foo SELECT * FROM x'", "(write)", ), # Unknown/missing query string shows no suffix ( "aws athena start-query-execution --query-string 'CALL proc()'", "start-query-execution", ), ("aws athena start-query-execution --work-group primary", "start-query-execution"), ] @pytest.mark.parametrize("command,expected_suffix", ATHENA_DESCRIPTION_TESTS) def test_athena_descriptions(check, command: str, expected_suffix: str) -> None: """Test that Athena query descriptions include SQL classification.""" result = check(command) reason = result["hookSpecificOutput"]["permissionDecisionReason"] assert expected_suffix in reason, ( f"Expected '{expected_suffix}' in reason '{reason}' for: {command}" )