@@ -7,6 +7,8 @@ This tool analyzes IAM Role trust policies and S3 bucket policies in your AWS ac
77- 🔍 Analyzes IAM Role trust policies to identify who can assume your roles
88- 🔍 Checks S3 bucket policies to identify who has access to your data
99- 📊 Uses reference data from [ known AWS accounts] ( https://github.com/fwdcloudsec/known_aws_accounts ) to identify vendors
10+ - 🔒 Supports defining your own trusted AWS accounts to distinguish between internal and external access
11+ - 🏷️ Automatically detects and displays AWS account aliases for better readability
1012- 📝 Generates nice-looking console output with tables
1113- 📄 Creates a markdown report you can share with your security team
1214
@@ -36,6 +38,67 @@ This tool analyzes IAM Role trust policies and S3 bucket policies in your AWS ac
3638 export AWS_DEFAULT_REGION="your-region"
3739 ```
3840
41+ ## Required AWS Permissions
42+
43+ To run this script successfully, your AWS user or role needs the following permissions:
44+
45+ ``` json
46+ {
47+ "Version" : " 2012-10-17" ,
48+ "Statement" : [
49+ {
50+ "Effect" : " Allow" ,
51+ "Action" : [" iam:ListRoles" , " iam:GetRole" ],
52+ "Resource" : " *"
53+ },
54+ {
55+ "Effect" : " Allow" ,
56+ "Action" : [" s3:ListAllMyBuckets" , " s3:GetBucketPolicy" ],
57+ "Resource" : " *"
58+ },
59+ {
60+ "Effect" : " Allow" ,
61+ "Action" : [" sts:GetCallerIdentity" , " iam:ListAccountAliases" ],
62+ "Resource" : " *"
63+ }
64+ ]
65+ }
66+ ```
67+
68+ You can use the AWS built-in policies:
69+
70+ - ` IAMReadOnlyAccess ` - For IAM role analysis
71+ - ` AmazonS3ReadOnlyAccess ` - For S3 bucket policy analysis
72+
73+ Or create a custom policy with just the permissions listed above for more restricted access.
74+
75+ ## Trusted Accounts Configuration
76+
77+ You can define your own trusted AWS accounts to distinguish between your internal organization's accounts and external vendors. This helps you focus on identifying truly external access.
78+
79+ 1 . Create a ` trusted_accounts.yaml ` file in the same directory as the script:
80+
81+ ```
82+ cp trusted_accounts.yaml.sample trusted_accounts.yaml
83+ ```
84+
85+ 2 . Edit the file to include your organization's AWS accounts:
86+
87+ ``` yaml
88+ - name : " My Company Production"
89+ description : " Production AWS accounts"
90+ accounts :
91+ - " 123456789012"
92+ - " 234567890123"
93+
94+ - name : " My Company Development"
95+ description : " Development AWS accounts"
96+ accounts :
97+ - " 345678901234"
98+ ` ` `
99+
100+ If the ` trusted_accounts.yaml` file doesn't exist or is empty, the script will analyze all accounts as potential external access points.
101+
39102# # Usage
40103
41104Simply run the script :
@@ -47,10 +110,12 @@ python check.py
47110The script will :
48111
491121. Fetch the latest reference data of known AWS accounts
50- 2 . Check all IAM role trust policies in your account
51- 3 . Check all S3 bucket policies in your account
52- 4 . Display the results in a nice format in the console
53- 5 . Generate a markdown report file
113+ 2. Load any trusted accounts from your configuration (if available)
114+ 3. Get the current AWS account alias for better identification
115+ 4. Check all IAM role trust policies in your account
116+ 5. Check all S3 bucket policies in your account
117+ 6. Display the results in a nice format in the console
118+ 7. Generate a markdown report file
54119
55120# # Sample Output
56121
@@ -64,10 +129,20 @@ The script will:
64129
65130Fetching reference data of known AWS accounts...
66131✅ Found 480 known AWS accounts in the reference data
132+ Loading trusted AWS accounts...
133+ ✅ Loaded 5 trusted AWS accounts
134+
135+ Analyzing AWS Account: 123456789012 (my-company-dev)
67136
68137Checking IAM role trust policies...
69138Checking S3 bucket policies...
70139
140+ ┌─────────────── 🔒 Trusted Entities with IAM Role Access ───────────────┐
141+ │ Entity │ IAM Roles │
142+ │ ─────────────────┼──────────────────────────────────────────────── │
143+ │ My Company Prod │ CrossAccountRole │
144+ └──────────────────────────────────────────────────────────────────────┘
145+
71146┌─────────────── ✅ Known Vendors with IAM Role Access ───────────────┐
72147│ Vendor │ IAM Roles │
73148│ ─────────────────┼───────────────────────────────────────────── │
@@ -82,6 +157,7 @@ Checking S3 bucket policies...
82157
83158┌────────────────── AWS Account Analysis Results ─────────────────────┐
84159│ Summary: │
160+ │ 🔒 Trusted entities found: 1 │
85161│ 🔍 Known vendors found: 1 │
86162│ ❓ Unknown AWS accounts found: 1 │
87163└────────────────────────────────────────────────────────────────────┘
@@ -93,8 +169,10 @@ Checking S3 bucket policies...
93169
94170The generated markdown report will include:
95171
172+ - Trusted entities with IAM role access
96173- Known vendors with IAM role access
97174- Unknown AWS accounts with IAM role access
175+ - Trusted entities with S3 bucket access
98176- Known vendors with S3 bucket access
99177- Unknown AWS accounts with S3 bucket access
100178
0 commit comments