{"id":14959427,"url":"https://github.com/rams3sh/aaia","last_synced_at":"2025-04-06T14:12:48.269Z","repository":{"id":36500929,"uuid":"199247716","full_name":"rams3sh/Aaia","owner":"rams3sh","description":"AWS Identity and Access Management Visualizer and Anomaly Finder","archived":false,"fork":false,"pushed_at":"2024-06-22T05:11:34.000Z","size":422,"stargazers_count":293,"open_issues_count":5,"forks_count":40,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-03-30T12:08:34.218Z","etag":null,"topics":["aws","graph","iam","neo4j","pentesting","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rams3sh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-28T05:45:20.000Z","updated_at":"2025-02-21T14:56:30.000Z","dependencies_parsed_at":"2024-01-03T04:12:59.238Z","dependency_job_id":"8aed14a1-1f01-46c7-97bf-b4eb2755175b","html_url":"https://github.com/rams3sh/Aaia","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rams3sh%2FAaia","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rams3sh%2FAaia/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rams3sh%2FAaia/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rams3sh%2FAaia/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rams3sh","download_url":"https://codeload.github.com/rams3sh/Aaia/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247492565,"owners_count":20947545,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","graph","iam","neo4j","pentesting","security","security-tools"],"created_at":"2024-09-24T13:19:41.631Z","updated_at":"2025-04-06T14:12:48.249Z","avatar_url":"https://github.com/rams3sh.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NOTE\nThis repository is not under active development. However, I am open to accepting PRs. Aaia still works as there has been no significant changes in terms of AWS APIs it uses to collect data.\n\n# Aaia\n(A)n(a)lysis  of (I)dentity and (A)ccess\n\nNote: Expansion created post the name was decided :P\n\n\n\n## **What does Aaia do ?**\n\nAaia (pronounced as shown [here](https://translate.google.co.in/#view=home\u0026op=translate\u0026sl=ta\u0026tl=en\u0026text=Aaya) ) helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j. This helps in identifying the outliers easily. Since it is based on neo4j , one can query the graph using cypher queries to find the anomalies.\n\nAaia also supports modules to programatically fetch data from neo4j database and process it in a custom fashion. This is mostly useful if any complex comparision or logic has to be applied which otherwise would not be easy through cypher queries.\n\nAaia was initially intended to be a tool to enumerate privelege esclation possibilities and find loop holes in AWS IAM. It was inspired from the quote by [@JohnLaTwC](https://twitter.com/JohnLaTwC)\n\n\"Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.\"\n\n\n\n\n## **Why the name \"Aaia\" ?**\n\nAaia in [Tamil](https://en.wikipedia.org/wiki/Tamil_language) means grandma. In general, Aaia knows everything about the family. She can easily connect who is related to whom; and how ;and give you the connection within a split second. \nShe is a living graph database. :P \n\nSince \"Aaia\" (this tool) also does more or less the same, hence the name.\n\n\n## **Installation**\n\n### Install the neo4j Database\n\n#### 1. Installation using Docker (Recommended)\n\ni. Install Docker Runtime\n\nCheck the official documentation regarding installation [here](https://docs.docker.com/engine/install/).\n\nii. Run the following docker command \n```\ndocker run -p 7687:7687 -p 7474:7474 -v `pwd`/neo4j/data:/data -v `pwd`/neo4j/logs:/logs -e NEO4J_AUTH=neo4j/test neo4j:3.5.17\n```\nNote : Above command persists neo4j data in your disk. However, feel free to modify for your needs and change the auth according to your preference. The credentials provided here should be configured in `Aaia.conf` file as well.\n\n#### 2. Installation using binary\n\nInstructions [here](https://neo4j.com/docs/operations-manual/current/installation/)\n\nSetup the username , password and bolt connection uri in Aaia.conf file. \nAn example format is given in Aaia.conf file already.\n\n**Note:** \nAaia has been tested with neo4j v 3.5.17. It may work with older versions. \nNeo4j has introduced some new changes post v 4.0 which has been found not compatible with Aaia's current codebase. \n\n\n### Install OS dependency ###\n\n#### Debian :- ####\n\napt-get install awscli jq\n\n#### Redhat / Fedora / Centos / Amazon Linux :- ####\n\nyum install awscli  jq\n\n#### Note: ####\nThese packages are needed for Aaia_aws_collector.sh script. Ensure these packages are present in the base system from where the collector script is being run.\n\n### Clone this repository\ngit clone https://github.com/rams3sh/Aaia\n\ncd Aaia/\n\n### Create a virtual environment\npython3 -m venv env\n\n\n### Activate the virtual environment\nsource env/bin/activate  \n\n**Note:** \nAaia depends on pyjq library which is not stable in windows currently. \nHence Aaia is not supported for Windows OS. \n\n### Install the dependencies\n\npython -m pip install -r requirements.txt\n\n## **Using Aaia**\n\n### Setting up Permissions in AWS ###\n\nAaia would require following AWS permissions for collector script to collect relevant data from AWS\n\n```\niam:GenerateCredentialReport\niam:GetCredentialReport\niam:GetAccountAuthorizationDetails\niam:ListUsers\niam:GetUser\niam:ListGroups\niam:ListRoles\niam:GetRole\niam:GetPolicy\niam:GetAccountPasswordPolicy\niam:GetAccountSummary\niam:ListAccountAliases\norganizations:ListAccountsForParent\norganizations:ListOrganizationalUnitsForParent\norganizations:DescribeOrganization\norganizations:ListRoots\norganizations:ListAccounts\norganizations:ListTagsForResource\norganizations:ListPolicies\norganizations:ListTargetsForPolicy\norganizations:DescribePolicy\norganizations:ListAWSServiceAccessForOrganization\n```\n\n\"Organizations\" related permissions can be ommitted. However , all the above mentioned \"IAM\" related permissions are necessary.\n\nEnsure the permissions are available to the user / role / any aws principal which will be used for collection of data for the collector script.\n\n\n\n### Collecting data from AWS\n\nEnsure you have aws credentials configured.\nRefer [this](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) for help.\n\nOnce the crendential is setup. \n\nRun:- \n```\n./Aaia_aws_collector.sh \u003cprofile_name\u003e\n```\nEnsure the output format of the aws profile being used for data collection is set to json as Aaia expects the data collected to be in json format. \n\n\n#### Note:- ####\nIn case of a requirement where data has to be collected from another instance; copy \"Aaia_aws_collector.sh\" file to the remote instance , run it and copy the generated \"offline_data\" folder to the Aaia path in the instance where Aaia is setup and carry on with following steps.\nThis will be helpful in cases of consulting or client audit.\n\n\n### Loading the collected data to Neo4j DB \n\n```\npython Aaia.py -n \u003cprofile_name\u003e -a load_data\n```\n\n-n supports \"all\" as value which means load all data collected and present within offline_data folder.\n\n#### Note: ####\nPlease ensure you do not have profile as \"all\" in the credentials file as it may conflict with the argument. :P \n\nNow we are ready to use Aaia.\n\n\n### Audit IAM through a custom module\n\nAs of now , a sample module is given as a skeleton example. One can consider this as a reference for building custom modules.\n\n```\npython Aaia.py -n all -m iam_sample_audit\n```\n\n\n## Thanks to \n\nAaia is influenced and inspired from various amazing open source projects. Huge Shoutout to :-\n\n* [Cloudmapper](https://github.com/duo-labs/cloudmapper)\n* [Cartography](https://github.com/lyft/cartography)\n* [BloodHound](https://github.com/BloodHoundAD/BloodHound)\n\n\n## Aaia in Action\n\n[![asciicast](https://asciinema.org/a/259578.png)](https://asciinema.org/a/259578)\n\n\n## Screenshots\n\nA sample visual of a dummy AWS Account's IAM \n\n![Image of AWS IAM Neo4j Visual](https://github.com/rams3sh/Aaia/blob/master/screenshots/AWS_IAM_Graph.PNG)\n\n\n\nA sample visual of a result of a cypher query to find all relations of a user in AWS IAM\n\n![Image of AWS IAM query result Visual](https://github.com/rams3sh/Aaia/blob/master/screenshots/AWS_IAM_example_cypher_query.PNG)\n\n\n\n## TO DO\n\n* Write a detailed documentation for understanding Aaia's Neo4j DB Schema\n* Write a detailed documentation for developing custom modules for Aaia\n* Write custom modules to evaluate [28 AWS privelege escalation methods](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation) identified by RhinoSecurity.\n* Provide a cheatsheet of queries for identifying simple issues in AWS IAM\n* Extend Aaia to other cloud providers.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frams3sh%2Faaia","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frams3sh%2Faaia","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frams3sh%2Faaia/lists"}