flosell / Trailscraper
Licence: apache-2.0
A command-line tool to get valuable information out of AWS CloudTrail
Stars: ✭ 352
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Trailscraper
Policy sentry
IAM Least Privilege Policy Generator
Stars: ✭ 1,284 (+264.77%)
Mutual labels: aws, cloud, hacktoberfest, iam
Cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Stars: ✭ 1,057 (+200.28%)
Mutual labels: aws, cloud, hacktoberfest, iam
Iam Policy Json To Terraform
Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document
Stars: ✭ 282 (-19.89%)
Mutual labels: aws, hacktoberfest, iam
Spring Cloud Aws
Integration for Amazon Web Services APIs with Spring
Stars: ✭ 541 (+53.69%)
Mutual labels: aws, aws-cloudformation, hacktoberfest
Pacbot
PacBot (Policy as Code Bot)
Stars: ✭ 1,017 (+188.92%)
Mutual labels: aws, cloud, security-automation
Sceptre
Build better AWS infrastructure
Stars: ✭ 1,160 (+229.55%)
Mutual labels: aws, cloud, hacktoberfest
Awsprocesscreds
Process credential providers for AWS SDKs and Tools
Stars: ✭ 123 (-65.06%)
Mutual labels: aws, cloud, iam
Awesome Aws
A curated list of awesome Amazon Web Services (AWS) libraries, open source repos, guides, blogs, and other resources. Featuring the Fiery Meter of AWSome.
Stars: ✭ 9,895 (+2711.08%)
Mutual labels: aws, cloud, iam
Aws Sdk Ruby
The official AWS SDK for Ruby.
Stars: ✭ 3,328 (+845.45%)
Mutual labels: aws, cloud, hacktoberfest
Externalsecret Operator
An operator to fetch secrets from cloud services and inject them in Kubernetes
Stars: ✭ 177 (-49.72%)
Mutual labels: aws, cloud, hacktoberfest
Ictf Framework
The iCTF Framework, presented by Shellphish!
Stars: ✭ 281 (-20.17%)
Mutual labels: aws, cloud
Awesome Cloudformation
A curated list of resources and projects for working with AWS CloudFormation.
Stars: ✭ 290 (-17.61%)
Mutual labels: aws, aws-cloudformation
Terraform Provider Digitalocean
Terraform DigitalOcean provider
Stars: ✭ 296 (-15.91%)
Mutual labels: cloud, hacktoberfest
Ccat
Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
Stars: ✭ 300 (-14.77%)
Mutual labels: aws, cloud
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+1195.74%)
Mutual labels: aws, cloud
Securecodebox
secureCodeBox (SCB) - continuous secure delivery out of the box
Stars: ✭ 279 (-20.74%)
Mutual labels: hacktoberfest, security-automation
TrailScraper
A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
Installation
OSX
$ brew install trailscraper
Installation using pip
Requirements:
- Python >= 3.5
- pip
$ pip install trailscraper
Run directly using docker
$ docker run --rm --env-file <(env | grep AWS_) -v $HOME/.aws:/root/.aws flosell/trailscraper:latest
Usage
- Get CloudTrail events matching a filter from CloudTrail API
- Download some logs
- Download some logs in organisational trails
- Find CloudTrail events matching a filter in downloaded logs
- Generate Policy from some CloudTrail records
- Extend existing policy by guessing matching actions
- Find CloudTrail events and generate an IAM Policy
Get CloudTrail events matching a filter from CloudTrail API
$ trailscraper select --use-cloudtrail-api \
--filter-assumed-role-arn some-arn \
--from 'one hour ago' \
--to 'now'
{
"Records": [
{
"eventTime": "2017-12-11T15:01:51Z",
"eventSource": "autoscaling.amazonaws.com",
"eventName": "DescribeLaunchConfigurations",
...
Download some logs
$ trailscraper download --bucket some-bucket \
--account-id some-account-id \
--region some-other-region \
--region us-east-1 \
--from 'two days ago' \
--to 'now' \
Note: Include us-east-1 to download logs for global services. See below for details
Download some logs in organisational trails
$ trailscraper download --bucket some-bucket \
--account-id some-account-id \
--region us-east-1 \
--org-id o-someorgid \
--from 'two days ago' \
--to 'now'
Find CloudTrail events matching a filter in downloaded logs
$ trailscraper select --filter-assumed-role-arn some-arn \
--from 'one hour ago' \
--to 'now'
{
"Records": [
{
"eventTime": "2017-12-11T15:01:51Z",
"eventSource": "autoscaling.amazonaws.com",
"eventName": "DescribeLaunchConfigurations",
...
Generate Policy from some CloudTrail records
$ gzcat some-records.json.gz | trailscraper generate
{
"Statement": [
{
"Action": [
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}
Extend existing policy by guessing matching actions
CloudTrail logs might not always contain all relevant actions.
For example, your logs might only contain the Create actions after a terraform run when you really want the delete and
update permissions as well. TrailScraper can try to guess additional statements that might be relevant:
$ cat minimal-policy.json | trailscraper guess
{
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}
$ cat minimal-policy.json | ./go trailscraper guess --only Get
{
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}
Find CloudTrail events and generate an IAM Policy
$ trailscraper select | trailscraper generate
{
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::1111111111:role/someRole"
]
}
],
"Version": "2012-10-17"
}
FAQ
How can I generate policies in CloudFormation YAML instead of JSON?
TrailScraper doesn't provide this. But you can use cfn-flip to do it:
$ trailscraper select | trailscraper generate | cfn-flip
Statement:
- Action:
- ec2:DescribeInstances
Effect: Allow
Resource:
- '*'
How can I generate policies in Terraform HCL instead of JSON?
TrailScraper doesn't provide this. But you can use iam-policy-json-to-terraform to do it:
$ trailscraper select | trailscraper generate | iam-policy-json-to-terraform
data "aws_iam_policy_document" "policy" {
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"ec2:DescribeInstances",
]
}
}
Why is TrailScraper missing some events?
- Make sure you have logs for the
us-east-1region. Some global AWS services (e.g. Route53, IAM, STS, CloudFront) use this region. For details, check the CloudTrail Documentation
Why are some TrailScraper-generated actions not real IAM actions?
This is totally possible. Unfortunately, there is no good, machine-readable documentation on how CloudTrail events map to IAM actions so TrailScraper is using heuristics to figure out the right actions. These heuristics likely don't cover all special cases of the AWS world.
This is where you come in: If you find a special case that's not covered by TrailScraper, please open a new issue or, even better, submit a pull request.
For more details, check out the contribution guide
Why does click think I am in an ASCII environment?
Click will abort further execution because Python 3 was configured to use ASCII as encoding for the environment.
Set environment variables that describe your locale, e.g. :
export LC_ALL=de_DE.utf-8
export LANG=de_DE.utf-8
or
LC_ALL=C.UTF-8
LANG=C.UTF-8
For details, see http://click.pocoo.org/5/python3/#python-3-surrogate-handling
Development
$ ./go setup # set up venv, dependencies and tools
$ ./go test # run some tests
$ ./go check # run some style checks
$ ./go # let's see what we can do here
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].