def __init__(self): if RolePermissionsHandler.__instance is not None: raise SingletonClassException("This class is a singleton!") else: self.__config = ConfigHandler.get_instance().get_config() self.__logger = logging.getLogger(__name__) self.__roles = {} self.__attached_policies = {} RolePermissionsHandler.__instance = self
def main(): try: parser = argparse.ArgumentParser() parser.add_argument("--export-results", "-er", type=str2bool, default=True, required=False) parser.add_argument("--print-sts-refresh-tree", required=False, type=str2bool, default=False) options = parser.parse_args() # Settings configuration config = ConfigHandler.get_instance().get_config() run_timestamp = int(time.time()) account_id = get_account_id() config["account"]["account_id"] = account_id config["run_timestamp"] = run_timestamp logger_setup() logger = logging.getLogger("Main") logger.info(SKYWRAPPER_INTRO) # Get the user's CloudTrail Bucket user_cloudtrail_bucket = get_user_cloudtrail_bucket(logger) # Continue the settings configuration config["athena"]["table_name"] = config["athena"]["table_name"].format( table_name=user_cloudtrail_bucket. get_converted_s3_bucket_name_to_table_name()) config["athena"]["output_location"] = config["athena"][ "output_location"].format( account_id=account_id, region=user_cloudtrail_bucket.home_region) logger.info("[+] Getting the temporary tokens history") # Main program logic sts_history = StsHistoryHandler(user_cloudtrail_bucket) # Export results options if options.print_sts_refresh_tree: print_root_access_key_sts_tree( sts_history.root_tokens[ROOT_AKIA_TOKENS_USED_FOR_REFRESH_STS]) if options.export_results: export_handler = ExportStsHistoryHandler(sts_history) export_handler.export_results() except Exception as e: logger = logging.getLogger("Main") logger.warning("SkyWrapper failed to run - Exception was raised") logger.warning("Exception details: {0}".format(e.args[0])) if "Unable to verify/create output bucket" in e.args[0]: logger.warning( "Couldn't access the trail bucket. It might be insufficient permissions issue." ) logger.warning(traceback.format_exc())
def logger_setup(): config = ConfigHandler.get_instance().get_config() logging.root.setLevel(logging.INFO) formatter = logging.basicConfig(format='%(message)s', datefmt='%Y-%m-%d %H:%M:%S') fh = logging.FileHandler( os.path.join( get_project_root(), "run_log_account_{0}-{1}.log".format( config["account"]["account_id"], config["run_timestamp"]))) logging.root.addHandler(fh) for handler in logging.root.handlers: handler.setFormatter(formatter)
def __init__(self, cloudwatch_trail_object): config_handler = ConfigHandler.get_instance() config = config_handler.config self.__logger = logging.getLogger(__name__) self.cloudwatch_trail_object = cloudwatch_trail_object self.athena_handler = AthenaHandler( cloudwatch_trail_object.home_region) self.suspicious_tokens = [] # Gets all the temporary (Role Access tokens) used to create other Access tokens self.__logger.info("[+] Searching for refreshed temporary tokens") self.tokens_created_by_temporary_token_athena_rows = self.athena_handler.fetchall_athena( GET_ACCESS_TOKENS_FROM_STS_QUERY.format( config["athena"]["table_name"]), config["athena"]["database_name"], config["athena"]["output_location"]) self.access_keys_to_check = self.access_keys_ids_dict_generator( self.tokens_created_by_temporary_token_athena_rows) # Pair nodes to their parents self.__match_parent_node_to_child(self.access_keys_to_check) # Gets all the AKIA (User Access tokens) used to create other Access tokens self.__logger.info( "[+] Searching after users that their keys used for creating temporary tokens" ) self.created_sts_tokens_from_main_access_keys_athena_rows = self.athena_handler.fetchall_athena( GET_ORIGIN_ACCESS_TOKENS_FROM_STS_QUERY.format( config["athena"]["table_name"]), config["athena"]["database_name"], config["athena"]["output_location"]) self.sts_persistence_root_temporary_keys_id_set = self.parse_athena_rows_sts_persistence_root_temporary_keys( self.access_keys_to_check) self.root_tokens = self.parse_athena_rows_akia_access_key_id_for_root_sts( self.created_sts_tokens_from_main_access_keys_athena_rows, self.sts_persistence_root_temporary_keys_id_set) self.root_temporary_tokens = self.root_tokens[ ROOT_STS_TOKENS_USED_TO_REFRESH_STS] # Get all the live temporary tokens in the account self.__logger.info( "[+] Searching after live temporary tokens under the AWS account") self.live_temporary_tokens_athena_rows = self.athena_handler.fetchall_athena( GET_LIVE_TEMPORARY_TOKENS_QUERY.format( config["athena"]["table_name"]), config["athena"]["database_name"], config["athena"]["output_location"]) self.live_temporary_tokens = self.parse_athena_rows_live_temporary_tokens( self.live_temporary_tokens_athena_rows) self.get_info_for_live_temporary_tokens() self.flag_suspicious_tokens()
def export_results(self): config_handler = ConfigHandler.get_instance() config = config_handler.config project_path = get_project_root() excel_output_file_location = os.path.join( project_path, config["output"]["excel_output_file"].format( trail=self.__sts_history_object.cloudwatch_trail_object. trail_name, account_id=config["account"]["account_id"], date=config["run_timestamp"])) summary_file_location = os.path.join( project_path, config["output"]["summary_output_file"].format( trail=self.__sts_history_object.cloudwatch_trail_object. trail_name, account_id=config["account"]["account_id"], date=config["run_timestamp"])) self.export_data_to_excel(excel_output_file_location) self.create_summary_file(summary_file_location)
def client_session_creator(client_name, **kwargs): """ Creates client session based on the credentials the users entered in the config file or it goes to the default AWS credentials """ config = ConfigHandler.get_instance().get_config() if "verify" in kwargs: overridden_verify_value = kwargs.pop("verify") if config["account"]["aws_access_key_id"] is not None and config["account"]["aws_access_key_id"] != "" \ and config["account"]["aws_secret_access_key"] is not None and config["account"]["aws_secret_access_key"] != "": kwargs["aws_access_key_id"] = config["account"]["aws_access_key_id"] kwargs["aws_secret_access_key"] = config["account"][ "aws_secret_access_key"] if config["account"]["aws_session_token"] is not None and config[ "account"]["aws_session_token"] != "": kwargs["aws_session_token"] = config["account"]["aws_session_token"] return boto3.client(client_name, verify=config["verify_https"], **kwargs)
def __init__(self): self.__logger = logging.getLogger(__name__) self.__config = ConfigHandler.get_instance().get_config() self.trails = None self.__raw_trails_list = []
def get_account_id(): config = ConfigHandler.get_instance().get_config() sts_client = client_session_creator('sts') aws_account_id = sts_client.get_caller_identity().get('Account') return aws_account_id
def __init__(self): ConfigHandler.__init__(self, self.fileName)
def __init__(self, athena_bucket_region): self.__config = ConfigHandler.get_instance().get_config() self.athena_client = client_session_creator( 'athena', region_name=athena_bucket_region) self.__logger = logging.getLogger(__name__)