def audit_iam(findings, region):
# By calling the code to find the admins, we'll exercise the code that finds problems.
find_admins_in_account(region, findings)
# By default we get the findings for the admins, but we can also look for specific
# privileges, so we'll look for who has s3:ListAllMyBuckets and then only use those
# findings that are for a compute resource having this privilege
s3_listing_findings = Findings()
s3_get_findings = Findings()
# TODO Running find_admins_in_account is really slow, and now we're running it 3 times.
# So figure out a way to run it once.
find_admins_in_account(region,
s3_listing_findings,
privs_to_look_for=["s3:ListAllMyBuckets"])
find_admins_in_account(region,
s3_get_findings,
privs_to_look_for=["s3:GetObject"])
for flist in s3_listing_findings:
if flist.issue_id != "IAM_UNEXPECTED_ADMIN_PRINCIPAL":
continue
services = make_list(
flist.resource_details.get("Principal", {}).get("Service", ""))
for service in services:
if service in [
"config.amazonaws.com",
"trustedadvisor.amazonaws.com",
"macie.amazonaws.com",
]:
continue
# If we are here then we have a principal that can list S3 buckets,
# and is associated with an unexpected service,
# so check if they can read data from them as well
for fget in s3_get_findings:
if (fget.issue_id == "IAM_UNEXPECTED_ADMIN_PRINCIPAL"
and fget.resource_id == flist.resource_id):
# If we are here, then the principal can list S3 buckets and get objects
# from them, and is not an unexpected service. Ensure we haven't already
# recorded this as an unexpected admin.
already_recorded = False
for f in findings:
if (f.resource_id == fget.resource_id and f.issue_id
== "IAM_UNEXPECTED_ADMIN_PRINCIPAL"):
already_recorded = True
break
if not already_recorded:
flist.issue_id = "IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL"
findings.add(flist)
# Don't record this multiple times if multiple services are listed
break
def audit_iam(findings, region):
find_admins_in_account(region, findings)