https://github.com/xmendez/awsdigger

AWS IAM resources search tool
https://github.com/xmendez/awsdigger

Last synced: about 2 months ago
JSON representation

AWS IAM resources search tool

• Host: GitHub
• URL: https://github.com/xmendez/awsdigger
• Owner: xmendez
• License: gpl-3.0
• Created: 2018-06-06T22:50:20.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2021-05-05T07:55:29.000Z (over 3 years ago)
• Last Synced: 2024-06-28T08:35:41.673Z (3 months ago)
• Language: Python
• Homepage:
• Size: 23.4 KB
• Stars: 19
• Watchers: 3
• Forks: 6
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# awsdigger

This tool was created to facilitate the security assessment of IAM resources in AWS environments. It provides a filter languague to look for overprivileged roles, trust relationships and to calculate effective IAM policies.

Futher information https://medium.com/edge-security/abusing-aws-cross-account-relationships-3b36a111b494

This is WIP: 

* It is still under development and it has the minimum functionality. 

* AWS policy syntax is very flexible and therefore it is difficult to support all the "NotAction", "Action", "Deny", "Allow",  different services, resources, conditions, actions and wildcards.

* Managed policies are not supported

# Language

The following clauses are allowed:

* Type

* Effective

* Trusted

* KeyId

* Name

* Arn

* PolicyName

* Action

* Resource

* Condition

* Effect

Operators:

* =

* !=

* =~

* !~

* ~

# Examples:

* Find trust relationships

```

$ python -m awsdigger --filter "Trusted~'arn:aws:iam::123456789012:root'"

$ python -m awsdigger --filter "Action~'sts:AssumeRole' 

```

* Find overprivileged roles

```

$ python -m awsdigger --filter "Action='iam:*' and Resource='*'

$ python -m awsdigger --filter "Effective~'iam:PutUserPolicy' or Effective~'CreateGroup' or Effective~'CreateUser' or Effective~'UpdateGroup' or Effective~'AttachGroupPolicy' "

```