{"id":28550271,"url":"https://github.com/wakeful/veil","last_synced_at":"2025-12-30T18:14:02.536Z","repository":{"id":293991751,"uuid":"981987734","full_name":"wakeful/veil","owner":"wakeful","description":"Verified Entity Identity Lock (Expose hidden trust paths in your AWS IAM setup before they become security risks.)","archived":false,"fork":false,"pushed_at":"2025-08-26T11:21:40.000Z","size":88,"stargazers_count":15,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-01T22:42:01.354Z","etag":null,"topics":["aws","blue","blue-team","blue-team-tool","blueteam","blueteam-tools","cybersecurity","penetration-testing","recon","security","security-auditing","security-automation","security-testing","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wakeful.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-12T07:55:55.000Z","updated_at":"2025-08-15T22:36:39.000Z","dependencies_parsed_at":"2025-05-18T12:23:29.114Z","dependency_job_id":"4203c39a-454f-43a8-84ff-cba045141787","html_url":"https://github.com/wakeful/veil","commit_stats":null,"previous_names":["wakeful/veil"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/wakeful/veil","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wakeful%2Fveil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wakeful%2Fveil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wakeful%2Fveil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wakeful%2Fveil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wakeful","download_url":"https://codeload.github.com/wakeful/veil/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wakeful%2Fveil/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273203263,"owners_count":25063277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-01T02:00:09.058Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","blue","blue-team","blue-team-tool","blueteam","blueteam-tools","cybersecurity","penetration-testing","recon","security","security-auditing","security-automation","security-testing","security-tools"],"created_at":"2025-06-10T03:08:21.252Z","updated_at":"2025-12-30T18:14:02.492Z","avatar_url":"https://github.com/wakeful.png","language":"Go","readme":"# veil\n\n\u003e **Verified Entity Identity Lock** (Expose hidden trust paths in your AWS IAM setup before they become security risks.)\n\n\u003e [!NOTE]\n\u003e This tool finds IAM principals in your AWS account that can assume a specific permission and returns them as a JSON\n\u003e list.\n\u003e Super handy for auditing trust relationships and spotting who has access to what.\n\n```shell\n$ veil -h\nUsage veil:\n  -region string\n        AWS region used for IAM communication (default \"eu-west-1\")\n  -verbose\n        verbose log output\n  -version\n        show version\n```\n\n### Installation\n\n#### From source\n\n```shell\n# via the Go toolchain\ngo install github.com/wakeful/veil\n```\n\n#### Using a binary release\n\nYou can download a pre-built binary from the [release page](https://github.com/wakeful/veil/releases/latest) and add it\nto your user PATH.\n\n### Example scenario\n\nLet's run `veil` against the current AWS account.\n\n```shell\n$ veil | tee output\n```\n\nWe should get back a similar response.\n\n```json\n{\n  \"apidestinations.events.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations\"\n  ],\n  \"apprunner.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner\"\n  ],\n  \"arn:aws:iam::OurOrgMasterAccountID:root\": [\n    \"arn:aws:iam::CurrentAccountID:role/OrganizationAccountAccessRole\"\n  ],\n  \"arn:aws:iam::UnknownAccountID:root\": [\n    \"arn:aws:iam::CurrentAccountID:role/OrganizationAccountAccessRole\"\n  ],\n  \"arn:aws:iam::CurrentAccountID:oidc-provider/token.actions.githubusercontent.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/github\"\n  ],\n  \"arn:aws:iam::CurrentAccountID:saml-provider/AWSSSO_bc4a1d0eeaf11feb_DO_NOT_DELETE\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_ViewOnlyAccess_de8667700c107932\",\n    \"arn:aws:iam::CurrentAccountID:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_FullAdmin_7b2592782fd2ce48\"\n  ],\n  \"arn:aws:iam::ThirdPartyVendorAccountID:root\": [\n    \"arn:aws:iam::CurrentAccountID:role/ViewOnlyRole\",\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS\"\n  ],\n  \"autoscaling.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling\"\n  ],\n  \"ecs.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS\"\n  ],\n  \"elasticache.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache\"\n  ],\n  \"grafana.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/grafana.amazonaws.com/AWSServiceRoleForAmazonGrafana\"\n  ],\n  \"ops.apigateway.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway\"\n  ],\n  \"organizations.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations\"\n  ],\n  \"rds.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS\"\n  ],\n  \"schemas.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/schemas.amazonaws.com/AWSServiceRoleForSchemas\"\n  ],\n  \"sso.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO\"\n  ],\n  \"support.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport\"\n  ],\n  \"trustedadvisor.amazonaws.com\": [\n    \"arn:aws:iam::CurrentAccountID:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor\"\n  ]\n}\n```\n\n\u003e [!TIP]\n\u003e We can now audit the principals that have access to our account. We can also leverage `jq` to quickly extract the AWS\n\u003e account IDs, which we can later compare against our trusted list.\n\n```shell\n$ cat output | jq -r 'keys.[]' | grep \"^arn:\" | cut -d \":\" -f 5 | sort | uniq\nCurrentAccountID\nOurOrgMasterAccountID\nThirdPartyVendorAccountID\nUnknownAccountID\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwakeful%2Fveil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwakeful%2Fveil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwakeful%2Fveil/lists"}