{"id":13680563,"url":"https://github.com/cyberark/SkyWrapper","last_synced_at":"2025-04-29T23:32:10.591Z","repository":{"id":53530652,"uuid":"210603207","full_name":"cyberark/SkyWrapper","owner":"cyberark","description":"SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS","archived":false,"fork":false,"pushed_at":"2021-03-25T23:23:12.000Z","size":35,"stargazers_count":104,"open_issues_count":1,"forks_count":13,"subscribers_count":30,"default_branch":"master","last_synced_at":"2024-04-16T00:16:28.857Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-24T12:56:22.000Z","updated_at":"2023-09-28T11:06:31.000Z","dependencies_parsed_at":"2022-09-09T08:41:37.450Z","dependency_job_id":null,"html_url":"https://github.com/cyberark/SkyWrapper","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyWrapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyWrapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyWrapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FSkyWrapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/SkyWrapper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251600628,"owners_count":21615748,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:18.557Z","updated_at":"2025-04-29T23:32:10.214Z","avatar_url":"https://github.com/cyberark.png","language":"Python","funding_links":[],"categories":["Python","Infrastructure"],"sub_categories":[],"readme":"![SkyWrapper](https://raw.githubusercontent.com/omer-ts/Images/master/skywrapper.png)\n\n![GitHub release](https://img.shields.io/badge/version-1.0-blue)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://choosealicense.com/licenses/mit/)\n## Overview\n\nSkyWrapper is an open-source project which analyzes behaviors of temporary tokens created in a given AWS account.\nThe tool is aiming to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account.\nThe tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens.\nA summary of the finding printed to the screen after each run.\n\nSkyWrapper DEMO:\n\n![SkyWrapper](https://raw.githubusercontent.com/omer-ts/Images/master/skywrapper_demo.gif)\n\n---\n\n## Usage\n\n1. Fill the required data in the **config** file\n2. Make sure your users have the satisfied permissions for running the script (You can check this in the IAM at the summary page of the user)\n3. Run the python script\n```bash\npython SkyWrapper.py\n```\n\n## Permissions\n\nFor running this script, you will need at least the following permissions policy:\n```\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"S3TrailBucketPermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"s3:GetObject\",\n                \"s3:ListBucketMultipartUploads\",\n                \"s3:ListBucket\",\n                \"s3:GetBucketLocation\",\n                \"s3:ListMultipartUploadParts\"\n            ],\n            \"Resource\": [\n                \"arn:aws:s3:::{cloudtrail_bucket_name}/*\",\n                \"arn:aws:s3:::{cloudtrail_bucket_name}\n            ]\n        },\n        {\n            \"Sid\": \"IAMReadPermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"iam:ListAttachedRolePolicies\",\n                \"iam:ListRolePolicies\",\n                \"iam:GetRolePolicy\",\n                \"iam:GetPolicyVersion\",\n                \"iam:GetPolicy\",\n                \"iam:ListRoles\"\n            ],\n            \"Resource\": [\n                \"arn:aws:iam::*:policy/*\",\n                \"arn:aws:iam::*:role/*\"\n            ]\n        },\n        {\n            \"Sid\": \"GLUEReadWritePermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"glue:CreateTable\",\n                \"glue:CreateDatabase\",\n                \"glue:GetTable\",\n                \"glue:GetDatabase\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"CLOUDTRAILReadPermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"cloudtrail:DescribeTrails\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"ATHENAReadPermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"athena:GetQueryResults\",\n                \"athena:StartQueryExecution\",\n                \"athena:GetQueryExecution\"\n            ],\n            \"Resource\": \"arn:aws:athena:*:*:workgroup/*\"\n        },\n        {\n            \"Sid\": \"S3AthenaResultsBucketPermissions\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"s3:PutObject\",\n                \"s3:GetObject\",\n                \"s3:ListBucketMultipartUploads\",\n                \"s3:CreateBucket\",\n                \"s3:ListBucket\",\n                \"s3:GetBucketLocation\",\n                \"s3:ListMultipartUploadParts\"\n            ],\n            \"Resource\": \"arn:aws:s3:::aws-athena-query-results-*\"\n        }\n    ]\n}\n```\n**Make sure you change the \"{trail_bucket}\" with your trail's bucket name!**\n\nIn case you have more than one trail, which you want to use the script also on them, you have to add them as well to the policy permissions resource section. \n\n## Configuration\n\n**\"config.yaml\"** is the configuration file.\nIn most cases, you can leave the configuration as is. In case you need to change it, the configuration file is documented. \n\n```yaml\nathena: # Athena configuration\n  database_name: default # The name of the database Athena uses for querying the trail bucket.\n  table_name: cloudtrail_logs_{table_name} # The table name of the trail bucket name\n  output_location: s3://aws-athena-query-results-{account_id}-{region}/ # The default output location bucket for the query results\noutput:\n  excel_output_file: run_results_{trail}_{account_id}-{date}.xlsx # Excel results file\n  summary_output_file: run_summary_{trail}_{account_id}-{date}.txt # Summary text results file\nverify_https: True # Enable/ Disable verification of SSL certificates for HTTP requests\naccount:\n    account_id: 0 # The account id - Keep it as 0 in case you don't know it\n    aws_access_key_id: # If you keep it empty, the script will look after the default AWS credentials stored in ~/.aws/credentials\n    aws_secret_access_key: # If you keep it empty, the script will look after the default AWS credentials stored in ~/.aws/credentials\n    aws_session_token: # If you keep it empty, the script will look after the default AWS credentials stored in ~/.aws/credentials\n```\n\n---\n\n## References:\n\nFor more comments, suggestions, or questions, you can contact Omer Tsarfati ([@OmerTsarfati](https://twitter.com/OmerTsarfati)) and CyberArk Labs.\nYou can find more projects developed by us in https://github.com/cyberark/.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FSkyWrapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2FSkyWrapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FSkyWrapper/lists"}