GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → AirWalk-Digital → AWSXenos

AirWalk-Digital / AWSXenos

Licence: MIT license
AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets

Programming Languages

python
139335 projects - #7 most used programming language
HTML
75241 projects

Labels

awssecurityaws-iamaws-securitycloud-security

Projects that are alternatives of or similar to AWSXenos

cdkgoat
CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Stars: ✭ 27 (-52.63%)
Mutual labels:  aws-security, cloud-security
Consoleme
A Central Control Plane for AWS Permissions and Access
Stars: ✭ 2,631 (+4515.79%)
Mutual labels:  aws-iam, cloud-security
awesome-cloud-security
🛡️ Awesome Cloud Security Resources ⚔️
Stars: ✭ 1,056 (+1752.63%)
Mutual labels:  aws-security, cloud-security
introspector
A schema and set of tools for using SQL to query cloud infrastructure.
Stars: ✭ 61 (+7.02%)
Mutual labels:  aws-security, cloud-security
CloudFrontier
Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
Stars: ✭ 102 (+78.95%)
Mutual labels:  aws-security, cloud-security
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Stars: ✭ 2,687 (+4614.04%)
Mutual labels:  aws-security, cloud-security
Security monkey
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Stars: ✭ 4,244 (+7345.61%)
Mutual labels:  aws-iam, aws-security
Cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Stars: ✭ 1,057 (+1754.39%)
Mutual labels:  aws-iam
Aws Csa Notes 2018
My AWS Certified Solutions Architect Associate Study Notes!
Stars: ✭ 167 (+192.98%)
Mutual labels:  aws-iam
Aws Extend Switch Roles
Extend your AWS IAM switching roles by Chrome extension, Firefox add-on, or Edge add-on
Stars: ✭ 862 (+1412.28%)
Mutual labels:  aws-iam
metabadger
Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
Stars: ✭ 123 (+115.79%)
Mutual labels:  cloud-security
Cloudrig
Stream your applications with Parsec and AWS on the cheap.
Stars: ✭ 151 (+164.91%)
Mutual labels:  aws-iam
Yle Aws Role
Tooling to help to assume AWS IAM roles
Stars: ✭ 11 (-80.7%)
Mutual labels:  aws-iam
Rbiam
A unified IAM+Kubernetes RBAC access control exploration tool
Stars: ✭ 59 (+3.51%)
Mutual labels:  aws-iam
Aws Iam Generator
Generate Multi-Account IAM users/groups/roles/policies from a simple YAML configuration file and Jinja2 templates.
Stars: ✭ 191 (+235.09%)
Mutual labels:  aws-iam
Kiam
Integrate AWS IAM with Kubernetes
Stars: ✭ 969 (+1600%)
Mutual labels:  aws-iam
AWS-Mirror-Toolkit
A set of tools and procedures for automating NSM and NIDS deployments in AWS
Stars: ✭ 16 (-71.93%)
Mutual labels:  aws-security
Startup Aws Iam Roles
A list of typical positions in a startup and their policies for IAM AWS.
Stars: ✭ 118 (+107.02%)
Mutual labels:  aws-iam
Trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.
Stars: ✭ 115 (+101.75%)
Mutual labels:  aws-iam
Smart Security Camera
A Pi Zero and Motion based webcamera that forwards images to Amazon Web Services for Image Processing
Stars: ✭ 103 (+80.7%)
Mutual labels:  aws-iam
View All Similar Projects ➔

AWS External Account Scanner

Xenos, is Greek for stranger.

AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an AWS account and give you a breakdown of all the accounts that have trust relationships to your account. It will also highlight whether the trusts have an external ID or not.

This tool reports against the Trusted Relationship Technique of the ATT&CK Framework.

  • For the "known" accounts list AWSXenos uses a modified version of known AWS Account IDs.
  • For the Org accounts list AWSXenos query AWS Organizations.
  • AWS Services are classified separately.
  • Everything else falls under unknown account

Example

HTML Report Screenshot

Why

Access Analyzer falls short because:

  1. You need to enable it in every region.

  2. Identified external entities might be known entities. E.g. a trusted third party vendor or a vendor you no longer trust. An Account number is seldom useful.

  3. Zone of trust is a fixed set of the AWS organisation. You won’t know if a trust between sandbox->prod has been established.

  4. Does not identify AWS Service principals. This is mainly important because of Wiz's AWSConfig, et al vulnverabilities

How to run

Cli

pip install AWSXenos
awsxenos --reporttype HTML -w report.html
awsxenos --reporttype JSON -w report.json

You will get an HTML and JSON report.

See example report

Library

from awsxenos.scan import Scan
from awsxenos.report import Report

s = Scan()
r = Report(s.findings, s.known_accounts_data)
json_summary = r.JSON_report()
html_summary = r.HTML_report()

IAM Permissions

Permissions required.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ListRoles"
        "organizations:ListAccounts",
        "s3:ListAllMyBuckets",
        "s3:GetBucketPolicy",
        "s3:GetBucketAcl"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Development

python3 -m env venv
source /env/bin/activate
pip install -r requirements.txt

I want to add more known accounts

Create a PR or raise an issue. Contributions are welcome.

Features

  • IAM Roles
  • S3 Bucket Policies and ACLs
  • Use as library
  • HTML and JSON output
  • Supports AWS Services

TODO

  • Add support for more resource policies services, e.g. SecretsManager, KSM, SNS, SQS, Lambda
  • Add support for Cognito, RAM
  • Add support for VPCE
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].