def list_access_keys(self, user_name):
all_keys = run_single_region('iam', 'list_access_keys',
{'UserName': user_name})
for key in all_keys["AccessKeyMetadata"]:
self.save_data(
key,
simple_storage.where('AccessKeyId') == key['AccessKeyId'],
'access_keys')
def list_users(self):
all_users = run_single_region('iam', 'list_users', {})
for user in all_users['Users']:
self.save_data(
user,
simple_storage.where('UserName') == user['UserName'], 'users')
username = user['UserName']
self.list_access_keys(username)
def init(self):
all_lambda_functions = simple_storage.all_records('lambda_function')
all_lambda_functions_arn = set([])
for lambda_function in all_lambda_functions:
all_lambda_functions_arn.add(lambda_function['FunctionArn'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
if len(all_lambda_functions_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn':
user['Arn'],
'ActionNames':
['lambda:GetFunction', 'lambda:UpdateFunctionCode'],
'ResourceArns':
list(all_lambda_functions_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam',
'simulate_principal_policy',
simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
lambda_node = BaseLambdaNode(
simulation_data['EvalResourceName'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, lambda_node,
simulation_data['EvalActionName'])
def init(self):
all_instances = simple_storage.all_records('ec2_gather')
all_instances_arn = set([])
all_instances.append({'InstanceId': "ALL-INSTANCES"})
basic_arn = 'arn:aws:ec2:*:*:instance/'
for instance in all_instances:
all_instances_arn.add(basic_arn + instance['InstanceId'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
if len(all_instances_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn':
user['Arn'],
'ActionNames': ['ssm:SendCommand'],
'ResourceArns':
['arn:aws:ssm:*:*:document/AWS-RunPowerShellScript'],
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam',
'simulate_principal_policy',
simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
for instance in all_instances:
ec2_node = BaseEC2Node(instance['InstanceId'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node,
simulation_data['EvalActionName'])
def get_all_buckets(self):
all_buckets = run_single_region('s3', 'list_buckets', {})
for bucket in all_buckets['Buckets']:
self.save_data(bucket,
simple_storage.where('Name') == bucket['Name'])
def list_roles(self):
all_roles = run_single_region('iam', 'list_roles', {})
for role in all_roles['Roles']:
self.save_data(
role,
simple_storage.where('RoleName') == role['RoleName'], 'roles')
def init(self):
all_instances = simple_storage.all_records('ec2_gather')
all_instances.append({'InstanceId': "ALL-INSTANCES"})
all_instances_arn = set([])
basic_arn = 'arn:aws:ec2:*:*:instance/'
for instance in all_instances:
all_instances_arn.add(basic_arn + instance['InstanceId'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
''''ec2:AssociateIamInstanceProfile',
'ec2:DetachVolume',
'ec2:AttachVolume','''
if len(all_instances_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
#'ec2:AssociateIamInstanceProfile'
#'ec2:StartInstances',
#'ec2:StopInstances'
'ec2:AttachVolume',
'ec2:DetachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
#'ec2:AssociateIamInstanceProfile'
'ec2:StartInstances',
'ec2:StopInstances'
#'ec2:AttachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
'ec2:AssociateIamInstanceProfile'
#'ec2:StartInstances',
#'ec2:StopInstances'
#'ec2:AttachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
'ec2:DescribeInstances',
'ec2:ModifyInstanceAttribute',
'ec2:CopySnapshot',
'ec2:RunInstances'
],
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
for instance in all_instances:
ec2_node = BaseEC2Node(instance['InstanceId'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])