https://github.com/wakeful/veil

Verified Entity Identity Lock (Expose hidden trust paths in your AWS IAM setup before they become security risks.)
https://github.com/wakeful/veil

aws blue blue-team blue-team-tool blueteam blueteam-tools cybersecurity penetration-testing recon security security-auditing security-automation security-testing security-tools

Last synced: about 1 month ago
JSON representation

Verified Entity Identity Lock (Expose hidden trust paths in your AWS IAM setup before they become security risks.)

• Host: GitHub
• URL: https://github.com/wakeful/veil
• Owner: wakeful
• License: bsd-3-clause
• Created: 2025-05-12T07:55:55.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2025-08-26T11:21:40.000Z (about 1 month ago)
• Last Synced: 2025-09-01T22:42:01.354Z (about 1 month ago)
• Topics: aws, blue, blue-team, blue-team-tool, blueteam, blueteam-tools, cybersecurity, penetration-testing, recon, security, security-auditing, security-automation, security-testing, security-tools
• Language: Go
• Homepage:
• Size: 85.9 KB
• Stars: 15
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: Readme.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# veil

> **Verified Entity Identity Lock** (Expose hidden trust paths in your AWS IAM setup before they become security risks.)

> [!NOTE]

> This tool finds IAM principals in your AWS account that can assume a specific permission and returns them as a JSON

> list.

> Super handy for auditing trust relationships and spotting who has access to what.

```shell

$ veil -h

Usage veil:

  -region string

        AWS region used for IAM communication (default "eu-west-1")

  -verbose

        verbose log output

  -version

        show version

```

### Installation

#### From source

```shell

# via the Go toolchain

go install github.com/wakeful/veil

```

#### Using a binary release

You can download a pre-built binary from the [release page](https://github.com/wakeful/veil/releases/latest) and add it

to your user PATH.

### Example scenario

Let's run `veil` against the current AWS account.

```shell

$ veil | tee output

```

We should get back a similar response.

```json

{

  "apidestinations.events.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations"

  ],

  "apprunner.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner"

  ],

  "arn:aws:iam::OurOrgMasterAccountID:root": [

    "arn:aws:iam::CurrentAccountID:role/OrganizationAccountAccessRole"

  ],

  "arn:aws:iam::UnknownAccountID:root": [

    "arn:aws:iam::CurrentAccountID:role/OrganizationAccountAccessRole"

  ],

  "arn:aws:iam::CurrentAccountID:oidc-provider/token.actions.githubusercontent.com": [

    "arn:aws:iam::CurrentAccountID:role/github"

  ],

  "arn:aws:iam::CurrentAccountID:saml-provider/AWSSSO_bc4a1d0eeaf11feb_DO_NOT_DELETE": [

    "arn:aws:iam::CurrentAccountID:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_ViewOnlyAccess_de8667700c107932",

    "arn:aws:iam::CurrentAccountID:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_FullAdmin_7b2592782fd2ce48"

  ],

  "arn:aws:iam::ThirdPartyVendorAccountID:root": [

    "arn:aws:iam::CurrentAccountID:role/ViewOnlyRole",

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS"

  ],

  "autoscaling.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"

  ],

  "ecs.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"

  ],

  "elasticache.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache"

  ],

  "grafana.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/grafana.amazonaws.com/AWSServiceRoleForAmazonGrafana"

  ],

  "ops.apigateway.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway"

  ],

  "organizations.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations"

  ],

  "rds.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS"

  ],

  "schemas.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/schemas.amazonaws.com/AWSServiceRoleForSchemas"

  ],

  "sso.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO"

  ],

  "support.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"

  ],

  "trustedadvisor.amazonaws.com": [

    "arn:aws:iam::CurrentAccountID:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor"

  ]

}

```

> [!TIP]

> We can now audit the principals that have access to our account. We can also leverage `jq` to quickly extract the AWS

> account IDs, which we can later compare against our trusted list.

```shell

$ cat output | jq -r 'keys.[]' | grep "^arn:" | cut -d ":" -f 5 | sort | uniq

CurrentAccountID

OurOrgMasterAccountID

ThirdPartyVendorAccountID

UnknownAccountID

```