{"id":18425298,"url":"https://github.com/toshke/aws-keys-sectool","last_synced_at":"2025-12-14T14:08:35.117Z","repository":{"id":57413287,"uuid":"441430072","full_name":"toshke/aws-keys-sectool","owner":"toshke","description":"Command line to list and IP whitelist active AWS credentials","archived":false,"fork":false,"pushed_at":"2022-04-07T14:46:44.000Z","size":35,"stargazers_count":15,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-17T13:49:11.236Z","etag":null,"topics":["access-control","aws","security","security-tools"],"latest_commit_sha":null,"homepage":"https://toshke.medium.com/aws-access-keys-ip-filtering-protection-b65ae5f8e26f","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/toshke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-24T09:57:47.000Z","updated_at":"2022-09-23T13:08:20.000Z","dependencies_parsed_at":"2022-09-07T03:03:37.105Z","dependency_job_id":null,"html_url":"https://github.com/toshke/aws-keys-sectool","commit_stats":null,"previous_names":["toshke/aws-keys-security"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toshke%2Faws-keys-sectool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toshke%2Faws-keys-sectool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toshke%2Faws-keys-sectool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toshke%2Faws-keys-sectool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/toshke","download_url":"https://codeload.github.com/toshke/aws-keys-sectool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247687942,"owners_count":20979570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","aws","security","security-tools"],"created_at":"2024-11-06T05:03:29.378Z","updated_at":"2025-12-14T14:08:34.753Z","avatar_url":"https://github.com/toshke.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-keys-sectool\n\n\n[See it in action on asciinema](https://asciinema.org/a/481461)\n\nCommand line to list and protect working AWS credentials\non workstations and servers (use IAM roles for any compute, though!)\n\n\n❌  **IF YOUR IP IS NOT STATIC AND YOU DON'T USE -b OPTION YOU CAN EASILY LOCK \nYOURSELF OUT** \n\n## Why? \n\nAWS long lived static credentials were still number 1 initial access vector\nin 2021 security breaches, according to many security researches. \nSee [here](https://blog.christophetd.fr/cloud-security-breaches-and-vulnerabilities-2021-in-review/#Static_Credentials_Remain_the_Major_Initial_Access_Vector)\n\n## What\n\n`aws-keys-sectool`  allows you to \n\n- list all of the working profiles from `~/.aws/credentials`, including those based on session tokens\n\n- optionally protect yourself from AWS keys usage by simply whitelistening only current IP address for\n  API calls. This, however, does come with a few caveats:\n  \n  - This works only if credentials allow `iam:PutUserPolicy` on the user    credentials itself. \n\n  - in order not to lock yourself out when changing IPs, [iam:PutUserPolicy] is    left out of the full protection when using `-b` option, however\n    it is conditioned using `aws:UserAgent` condition and expecting hash of the \n    user's arn for it's value. So, in credential leak scenario user is still protected if malicous actor is not aware the keys are protected using this utility\n  \n  - everytime client IP address is changed, script needs to be executed again to align the policy with the new IP address. \n\n\n## Requirements\n\n- `python3` \n- `boto3` \n\nIf you are using AWS CLI, chances are good that these are already present on the system. \n\n## How\n\nSimply, clone the repo and run the scripts\n\n1 - build and install package\n\n```\n### install from PyPi\npip3 install aws-keys-sectool\n\n## or clone and build\ngit clone https://github.com:toshke/aws-keys-sectool.git \u0026\u0026 \\\n  cd aws-keys-sectool \u0026\u0026 \\\n  python3 setup.py install \n\n## see usage\naws-keys-sectool -h\n```\n\n### Key listing\n\n```\n### default behaviour prints results in human readable format to stdout\naws-keys-sectool list-all-keys\n\n### optionally to write output to json file use (aws_keys_report.json)\naws-keys-sectool list-all-keys -j\n```\n\n### Key protection\n\n```shell \n### \n### Options explained\n###   -b Add backdoor access. User will only be able to perform \n###        iam:PutUserPolicy action from different IP address, and\n###        with UA string set to hash of user ARN. Not added \n###        by default, assuming that user is on a static IP\n###        and there is admin account that can restore user's access in \n###        case of different IP\n###                      \n###   --profile PROFILE : Target specific AWS profile. All profiles \n###        are protected by default with a user prompt\n###\n###   --ip IP_ADDRESS: If you're whitelisting IP address (or range using CIDR format)\n###         other than your current public IP, use this option. \n###         Default value is your current IP address obtained via ipinfo.io  \n###\naws-keys-sectool protect-keys  [-b] [-p PROFILE] [-i] ip_address_or_cidr\n```\n\n## FAQ\n\n*Q*: Can I whitelist IPs/CIDRs manually, outside of the tool?\n\n*A*: Yes, see policy below for policy without backdoor access\n```\n{\n    \"Sid\": \"DenyIpBased\",\n    \"Effect\": \"Deny\",\n    \"NotAction\": \"iam:PutUserPolicy\",\n    \"Resource\": \"*\",\n    \"Condition\": {\n        \"NotIpAddress\": {\n            \"aws:SourceIp\": \u003cYOUR_IP_GOES_HERE\u003e\n        }\n    }\n}\n```\n\n\n\n*Q*: What if I use backdoor option and my creds are leaked\n\n*A*: Obviously backdoor implies there is vulnerability by design. \nIdeal scenario is avoid using backdoor option, and an admin profile\nto update ip when changed. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoshke%2Faws-keys-sectool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftoshke%2Faws-keys-sectool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoshke%2Faws-keys-sectool/lists"}