Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1ad3123

Browse files
author
Victor Grenu
committed
trusted accounts capa, account alias
1 parent ad324e1 commit 1ad3123

3 files changed

Lines changed: 344 additions & 27 deletions

File tree

README.md

Lines changed: 82 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ This tool analyzes IAM Role trust policies and S3 bucket policies in your AWS ac
77
- 🔍 Analyzes IAM Role trust policies to identify who can assume your roles
88
- 🔍 Checks S3 bucket policies to identify who has access to your data
99
- 📊 Uses reference data from [known AWS accounts](https://github.com/fwdcloudsec/known_aws_accounts) to identify vendors
10+
- 🔒 Supports defining your own trusted AWS accounts to distinguish between internal and external access
11+
- 🏷️ Automatically detects and displays AWS account aliases for better readability
1012
- 📝 Generates nice-looking console output with tables
1113
- 📄 Creates a markdown report you can share with your security team
1214

@@ -36,6 +38,67 @@ This tool analyzes IAM Role trust policies and S3 bucket policies in your AWS ac
3638
export AWS_DEFAULT_REGION="your-region"
3739
```
3840

41+
## Required AWS Permissions
42+
43+
To run this script successfully, your AWS user or role needs the following permissions:
44+
45+
```json
46+
{
47+
"Version": "2012-10-17",
48+
"Statement": [
49+
{
50+
"Effect": "Allow",
51+
"Action": ["iam:ListRoles", "iam:GetRole"],
52+
"Resource": "*"
53+
},
54+
{
55+
"Effect": "Allow",
56+
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketPolicy"],
57+
"Resource": "*"
58+
},
59+
{
60+
"Effect": "Allow",
61+
"Action": ["sts:GetCallerIdentity", "iam:ListAccountAliases"],
62+
"Resource": "*"
63+
}
64+
]
65+
}
66+
```
67+
68+
You can use the AWS built-in policies:
69+
70+
- `IAMReadOnlyAccess` - For IAM role analysis
71+
- `AmazonS3ReadOnlyAccess` - For S3 bucket policy analysis
72+
73+
Or create a custom policy with just the permissions listed above for more restricted access.
74+
75+
## Trusted Accounts Configuration
76+
77+
You can define your own trusted AWS accounts to distinguish between your internal organization's accounts and external vendors. This helps you focus on identifying truly external access.
78+
79+
1. Create a `trusted_accounts.yaml` file in the same directory as the script:
80+
81+
```
82+
cp trusted_accounts.yaml.sample trusted_accounts.yaml
83+
```
84+
85+
2. Edit the file to include your organization's AWS accounts:
86+
87+
```yaml
88+
- name: "My Company Production"
89+
description: "Production AWS accounts"
90+
accounts:
91+
- "123456789012"
92+
- "234567890123"
93+
94+
- name: "My Company Development"
95+
description: "Development AWS accounts"
96+
accounts:
97+
- "345678901234"
98+
```
99+
100+
If the `trusted_accounts.yaml` file doesn't exist or is empty, the script will analyze all accounts as potential external access points.
101+
39102
## Usage
40103

41104
Simply run the script:
@@ -47,10 +110,12 @@ python check.py
47110
The script will:
48111

49112
1. Fetch the latest reference data of known AWS accounts
50-
2. Check all IAM role trust policies in your account
51-
3. Check all S3 bucket policies in your account
52-
4. Display the results in a nice format in the console
53-
5. Generate a markdown report file
113+
2. Load any trusted accounts from your configuration (if available)
114+
3. Get the current AWS account alias for better identification
115+
4. Check all IAM role trust policies in your account
116+
5. Check all S3 bucket policies in your account
117+
6. Display the results in a nice format in the console
118+
7. Generate a markdown report file
54119

55120
## Sample Output
56121

@@ -64,10 +129,20 @@ The script will:
64129

65130
Fetching reference data of known AWS accounts...
66131
✅ Found 480 known AWS accounts in the reference data
132+
Loading trusted AWS accounts...
133+
✅ Loaded 5 trusted AWS accounts
134+
135+
Analyzing AWS Account: 123456789012 (my-company-dev)
67136

68137
Checking IAM role trust policies...
69138
Checking S3 bucket policies...
70139

140+
┌─────────────── 🔒 Trusted Entities with IAM Role Access ───────────────┐
141+
│ Entity │ IAM Roles │
142+
│ ─────────────────┼──────────────────────────────────────────────── │
143+
│ My Company Prod │ CrossAccountRole │
144+
└──────────────────────────────────────────────────────────────────────┘
145+
71146
┌─────────────── ✅ Known Vendors with IAM Role Access ───────────────┐
72147
│ Vendor │ IAM Roles │
73148
│ ─────────────────┼───────────────────────────────────────────── │
@@ -82,6 +157,7 @@ Checking S3 bucket policies...
82157

83158
┌────────────────── AWS Account Analysis Results ─────────────────────┐
84159
│ Summary: │
160+
│ 🔒 Trusted entities found: 1 │
85161
│ 🔍 Known vendors found: 1 │
86162
│ ❓ Unknown AWS accounts found: 1 │
87163
└────────────────────────────────────────────────────────────────────┘
@@ -93,8 +169,10 @@ Checking S3 bucket policies...
93169
94170
The generated markdown report will include:
95171
172+
- Trusted entities with IAM role access
96173
- Known vendors with IAM role access
97174
- Unknown AWS accounts with IAM role access
175+
- Trusted entities with S3 bucket access
98176
- Known vendors with S3 bucket access
99177
- Unknown AWS accounts with S3 bucket access
100178

0 commit comments

Comments
 (0)