Skip to content

jonathanstockton/awsxenos-airwalk-grads

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
awsxenos
awsxenos
 
 
example
example
 
 
screenshots
screenshots
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Jenkinsfile
Jenkinsfile
 
 
LICENSE
LICENSE
 
 
MANIFEST.in
MANIFEST.in
 
 
README.md
README.md
 
 
acknowledgements.md
acknowledgements.md
 
 
jobdsl.groovy
jobdsl.groovy
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 
tox.ini
tox.ini
 
 

Repository files navigation

AWS External Account Scanner

Xenos, is Greek for stranger.

AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an AWS account and give you a breakdown of all the accounts that have trust relationships to your account. It will also highlight whether the trusts have an external ID or not.

This tool reports against the Trusted Relationship Technique of the ATT&CK Framework.

  • For the "known" accounts list AWSXenos uses a modified version of known AWS Account IDs.
  • For the Org accounts list AWSXenos query AWS Organizations.
  • AWS Services are classified separately.
  • Everything else falls under unknown account

Example

HTML Report Screenshot

Why

Access Analyzer falls short because:

  1. You need to enable it in every region.

  2. Identified external entities might be known entities. E.g. a trusted third party vendor or a vendor you no longer trust. An Account number is seldom useful.

  3. Zone of trust is a fixed set of the AWS organisation. You won’t know if a trust between sandbox->prod has been established.

  4. Does not identify AWS Service principals. This is mainly important because of Wiz's AWSConfig, et al vulnverabilities

How to run

Cli

pip install AWSXenos
awsxenos --reporttype HTML -w report.html
awsxenos --reporttype JSON -w report.json

You will get an HTML and JSON report.

See example report

Library

from awsxenos.scan import Scan
from awsxenos.report import Report

s = Scan()
r = Report(s.findings, s.known_accounts_data)
json_summary = r.JSON_report()
html_summary = r.HTML_report()

IAM Permissions

Permissions required.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ListRoles"
        "organizations:ListAccounts",
        "s3:ListAllMyBuckets",
        "s3:GetBucketPolicy",
        "s3:GetBucketAcl"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Development

python3 -m env venv
source /env/bin/activate
pip install -r requirements.txt

I want to add more known accounts

Create a PR or raise an issue. Contributions are welcome.

Features

  • IAM Roles
  • S3 Bucket Policies and ACLs
  • Use as library
  • HTML and JSON output
  • Supports AWS Services

TODO

  • Add support for more resource policies services, e.g. SecretsManager, KSM, SNS, SQS, Lambda
  • Add support for Cognito, RAM
  • Add support for VPCE

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages