Skip to content

Latest commit

 

History

History
52 lines (37 loc) · 1.28 KB

README.md

File metadata and controls

52 lines (37 loc) · 1.28 KB

awsdigger

This tool was created to facilitate the security assessment of IAM resources in AWS environments. It provides a filter languague to look for overprivileged roles, trust relationships and to calculate effective IAM policies.

Futher information https://medium.com/edge-security/abusing-aws-cross-account-relationships-3b36a111b494

This is WIP:

  • It is still under development and it has the minimum functionality.
  • AWS policy syntax is very flexible and therefore it is difficult to support all the "NotAction", "Action", "Deny", "Allow", different services, resources, conditions, actions and wildcards.
  • Managed policies are not supported

Language

The following clauses are allowed:

  • Type
  • Effective
  • Trusted
  • KeyId
  • Name
  • Arn
  • PolicyName
  • Action
  • Resource
  • Condition
  • Effect

Operators:

  • =
  • !=
  • =~
  • !~
  • ~

Examples:

  • Find trust relationships
$ python -m awsdigger --filter "Trusted~'arn:aws:iam::123456789012:root'"

$ python -m awsdigger --filter "Action~'sts:AssumeRole' 
  • Find overprivileged roles
$ python -m awsdigger --filter "Action='iam:*' and Resource='*'

$ python -m awsdigger --filter "Effective~'iam:PutUserPolicy' or Effective~'CreateGroup' or Effective~'CreateUser' or Effective~'UpdateGroup' or Effective~'AttachGroupPolicy' "