def list_access_keys(self, user_name): all_keys = run_single_region('iam', 'list_access_keys', {'UserName': user_name}) for key in all_keys["AccessKeyMetadata"]: self.save_data( key, simple_storage.where('AccessKeyId') == key['AccessKeyId'], 'access_keys')
def list_users(self): all_users = run_single_region('iam', 'list_users', {}) for user in all_users['Users']: self.save_data( user, simple_storage.where('UserName') == user['UserName'], 'users') username = user['UserName'] self.list_access_keys(username)
def init(self): all_lambda_functions = simple_storage.all_records('lambda_function') all_lambda_functions_arn = set([]) for lambda_function in all_lambda_functions: all_lambda_functions_arn.add(lambda_function['FunctionArn']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) if len(all_lambda_functions_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': ['lambda:GetFunction', 'lambda:UpdateFunctionCode'], 'ResourceArns': list(all_lambda_functions_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": lambda_node = BaseLambdaNode( simulation_data['EvalResourceName']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, lambda_node, simulation_data['EvalActionName'])
def init(self): all_instances = simple_storage.all_records('ec2_gather') all_instances_arn = set([]) all_instances.append({'InstanceId': "ALL-INSTANCES"}) basic_arn = 'arn:aws:ec2:*:*:instance/' for instance in all_instances: all_instances_arn.add(basic_arn + instance['InstanceId']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) if len(all_instances_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': ['ssm:SendCommand'], 'ResourceArns': ['arn:aws:ssm:*:*:document/AWS-RunPowerShellScript'], 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": for instance in all_instances: ec2_node = BaseEC2Node(instance['InstanceId']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
def get_all_buckets(self): all_buckets = run_single_region('s3', 'list_buckets', {}) for bucket in all_buckets['Buckets']: self.save_data(bucket, simple_storage.where('Name') == bucket['Name'])
def list_roles(self): all_roles = run_single_region('iam', 'list_roles', {}) for role in all_roles['Roles']: self.save_data( role, simple_storage.where('RoleName') == role['RoleName'], 'roles')
def init(self): all_instances = simple_storage.all_records('ec2_gather') all_instances.append({'InstanceId': "ALL-INSTANCES"}) all_instances_arn = set([]) basic_arn = 'arn:aws:ec2:*:*:instance/' for instance in all_instances: all_instances_arn.add(basic_arn + instance['InstanceId']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) ''''ec2:AssociateIamInstanceProfile', 'ec2:DetachVolume', 'ec2:AttachVolume',''' if len(all_instances_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ #'ec2:AssociateIamInstanceProfile' #'ec2:StartInstances', #'ec2:StopInstances' 'ec2:AttachVolume', 'ec2:DetachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ #'ec2:AssociateIamInstanceProfile' 'ec2:StartInstances', 'ec2:StopInstances' #'ec2:AttachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ 'ec2:AssociateIamInstanceProfile' #'ec2:StartInstances', #'ec2:StopInstances' #'ec2:AttachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ 'ec2:DescribeInstances', 'ec2:ModifyInstanceAttribute', 'ec2:CopySnapshot', 'ec2:RunInstances' ], 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": for instance in all_instances: ec2_node = BaseEC2Node(instance['InstanceId']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])