def __init__(self):
if RolePermissionsHandler.__instance is not None:
raise SingletonClassException("This class is a singleton!")
else:
self.__config = ConfigHandler.get_instance().get_config()
self.__logger = logging.getLogger(__name__)
self.__roles = {}
self.__attached_policies = {}
RolePermissionsHandler.__instance = self
def main():
try:
parser = argparse.ArgumentParser()
parser.add_argument("--export-results",
"-er",
type=str2bool,
default=True,
required=False)
parser.add_argument("--print-sts-refresh-tree",
required=False,
type=str2bool,
default=False)
options = parser.parse_args()
# Settings configuration
config = ConfigHandler.get_instance().get_config()
run_timestamp = int(time.time())
account_id = get_account_id()
config["account"]["account_id"] = account_id
config["run_timestamp"] = run_timestamp
logger_setup()
logger = logging.getLogger("Main")
logger.info(SKYWRAPPER_INTRO)
# Get the user's CloudTrail Bucket
user_cloudtrail_bucket = get_user_cloudtrail_bucket(logger)
# Continue the settings configuration
config["athena"]["table_name"] = config["athena"]["table_name"].format(
table_name=user_cloudtrail_bucket.
get_converted_s3_bucket_name_to_table_name())
config["athena"]["output_location"] = config["athena"][
"output_location"].format(
account_id=account_id,
region=user_cloudtrail_bucket.home_region)
logger.info("[+] Getting the temporary tokens history")
# Main program logic
sts_history = StsHistoryHandler(user_cloudtrail_bucket)
# Export results options
if options.print_sts_refresh_tree:
print_root_access_key_sts_tree(
sts_history.root_tokens[ROOT_AKIA_TOKENS_USED_FOR_REFRESH_STS])
if options.export_results:
export_handler = ExportStsHistoryHandler(sts_history)
export_handler.export_results()
except Exception as e:
logger = logging.getLogger("Main")
logger.warning("SkyWrapper failed to run - Exception was raised")
logger.warning("Exception details: {0}".format(e.args[0]))
if "Unable to verify/create output bucket" in e.args[0]:
logger.warning(
"Couldn't access the trail bucket. It might be insufficient permissions issue."
)
logger.warning(traceback.format_exc())
def logger_setup():
config = ConfigHandler.get_instance().get_config()
logging.root.setLevel(logging.INFO)
formatter = logging.basicConfig(format='%(message)s',
datefmt='%Y-%m-%d %H:%M:%S')
fh = logging.FileHandler(
os.path.join(
get_project_root(), "run_log_account_{0}-{1}.log".format(
config["account"]["account_id"], config["run_timestamp"])))
logging.root.addHandler(fh)
for handler in logging.root.handlers:
handler.setFormatter(formatter)
def __init__(self, cloudwatch_trail_object):
config_handler = ConfigHandler.get_instance()
config = config_handler.config
self.__logger = logging.getLogger(__name__)
self.cloudwatch_trail_object = cloudwatch_trail_object
self.athena_handler = AthenaHandler(
cloudwatch_trail_object.home_region)
self.suspicious_tokens = []
# Gets all the temporary (Role Access tokens) used to create other Access tokens
self.__logger.info("[+] Searching for refreshed temporary tokens")
self.tokens_created_by_temporary_token_athena_rows = self.athena_handler.fetchall_athena(
GET_ACCESS_TOKENS_FROM_STS_QUERY.format(
config["athena"]["table_name"]),
config["athena"]["database_name"],
config["athena"]["output_location"])
self.access_keys_to_check = self.access_keys_ids_dict_generator(
self.tokens_created_by_temporary_token_athena_rows)
# Pair nodes to their parents
self.__match_parent_node_to_child(self.access_keys_to_check)
# Gets all the AKIA (User Access tokens) used to create other Access tokens
self.__logger.info(
"[+] Searching after users that their keys used for creating temporary tokens"
)
self.created_sts_tokens_from_main_access_keys_athena_rows = self.athena_handler.fetchall_athena(
GET_ORIGIN_ACCESS_TOKENS_FROM_STS_QUERY.format(
config["athena"]["table_name"]),
config["athena"]["database_name"],
config["athena"]["output_location"])
self.sts_persistence_root_temporary_keys_id_set = self.parse_athena_rows_sts_persistence_root_temporary_keys(
self.access_keys_to_check)
self.root_tokens = self.parse_athena_rows_akia_access_key_id_for_root_sts(
self.created_sts_tokens_from_main_access_keys_athena_rows,
self.sts_persistence_root_temporary_keys_id_set)
self.root_temporary_tokens = self.root_tokens[
ROOT_STS_TOKENS_USED_TO_REFRESH_STS]
# Get all the live temporary tokens in the account
self.__logger.info(
"[+] Searching after live temporary tokens under the AWS account")
self.live_temporary_tokens_athena_rows = self.athena_handler.fetchall_athena(
GET_LIVE_TEMPORARY_TOKENS_QUERY.format(
config["athena"]["table_name"]),
config["athena"]["database_name"],
config["athena"]["output_location"])
self.live_temporary_tokens = self.parse_athena_rows_live_temporary_tokens(
self.live_temporary_tokens_athena_rows)
self.get_info_for_live_temporary_tokens()
self.flag_suspicious_tokens()
def export_results(self):
config_handler = ConfigHandler.get_instance()
config = config_handler.config
project_path = get_project_root()
excel_output_file_location = os.path.join(
project_path, config["output"]["excel_output_file"].format(
trail=self.__sts_history_object.cloudwatch_trail_object.
trail_name,
account_id=config["account"]["account_id"],
date=config["run_timestamp"]))
summary_file_location = os.path.join(
project_path, config["output"]["summary_output_file"].format(
trail=self.__sts_history_object.cloudwatch_trail_object.
trail_name,
account_id=config["account"]["account_id"],
date=config["run_timestamp"]))
self.export_data_to_excel(excel_output_file_location)
self.create_summary_file(summary_file_location)
def client_session_creator(client_name, **kwargs):
"""
Creates client session based on the credentials the users entered in the config file
or it goes to the default AWS credentials
"""
config = ConfigHandler.get_instance().get_config()
if "verify" in kwargs:
overridden_verify_value = kwargs.pop("verify")
if config["account"]["aws_access_key_id"] is not None and config["account"]["aws_access_key_id"] != "" \
and config["account"]["aws_secret_access_key"] is not None and config["account"]["aws_secret_access_key"] != "":
kwargs["aws_access_key_id"] = config["account"]["aws_access_key_id"]
kwargs["aws_secret_access_key"] = config["account"][
"aws_secret_access_key"]
if config["account"]["aws_session_token"] is not None and config[
"account"]["aws_session_token"] != "":
kwargs["aws_session_token"] = config["account"]["aws_session_token"]
return boto3.client(client_name, verify=config["verify_https"], **kwargs)
def __init__(self):
self.__logger = logging.getLogger(__name__)
self.__config = ConfigHandler.get_instance().get_config()
self.trails = None
self.__raw_trails_list = []
def get_account_id():
config = ConfigHandler.get_instance().get_config()
sts_client = client_session_creator('sts')
aws_account_id = sts_client.get_caller_identity().get('Account')
return aws_account_id
def __init__(self):
ConfigHandler.__init__(self, self.fileName)
def __init__(self, athena_bucket_region):
self.__config = ConfigHandler.get_instance().get_config()
self.athena_client = client_session_creator(
'athena', region_name=athena_bucket_region)
self.__logger = logging.getLogger(__name__)