Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/xmendez/awsdigger
AWS IAM resources search tool
https://github.com/xmendez/awsdigger
Last synced: 3 months ago
JSON representation
AWS IAM resources search tool
- Host: GitHub
- URL: https://github.com/xmendez/awsdigger
- Owner: xmendez
- License: gpl-3.0
- Created: 2018-06-06T22:50:20.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2021-05-05T07:55:29.000Z (over 3 years ago)
- Last Synced: 2024-06-28T08:35:41.673Z (5 months ago)
- Language: Python
- Homepage:
- Size: 23.4 KB
- Stars: 19
- Watchers: 3
- Forks: 6
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# awsdigger
This tool was created to facilitate the security assessment of IAM resources in AWS environments. It provides a filter languague to look for overprivileged roles, trust relationships and to calculate effective IAM policies.
Futher information https://medium.com/edge-security/abusing-aws-cross-account-relationships-3b36a111b494
This is WIP:
* It is still under development and it has the minimum functionality.
* AWS policy syntax is very flexible and therefore it is difficult to support all the "NotAction", "Action", "Deny", "Allow", different services, resources, conditions, actions and wildcards.
* Managed policies are not supported
# Language
The following clauses are allowed:
* Type
* Effective
* Trusted
* KeyId
* Name
* Arn
* PolicyName
* Action
* Resource
* Condition
* Effect
Operators:
* =
* !=
* =~
* !~
* ~
# Examples:
* Find trust relationships
```
$ python -m awsdigger --filter "Trusted~'arn:aws:iam::123456789012:root'"
$ python -m awsdigger --filter "Action~'sts:AssumeRole'
```
* Find overprivileged roles
```
$ python -m awsdigger --filter "Action='iam:*' and Resource='*'
$ python -m awsdigger --filter "Effective~'iam:PutUserPolicy' or Effective~'CreateGroup' or Effective~'CreateUser' or Effective~'UpdateGroup' or Effective~'AttachGroupPolicy' "
```