| from jira import JIRA | |
| import click | |
| import getpass | |
| ISSUE_SUMMARY = "Overly permissive AWS IAM Policies in use" | |
| ISSUE_DESCRIPTION = """As part of our security assessment, our team ran Cloudsplaining on your AWS account. | |
| Cloudsplaining maps out the IAM risk landscape in a report, identifies where resource ARN constraints are not used, and | |
| identifies other risks in IAM policies like Privilege Escalation, Data Exfiltration, and Resource Exposure. |
| { | |
| "basics": { | |
| "email": "kinnairdm@gmail.com", | |
| "image": "https://avatars.githubusercontent.com/u/3422255?s=400\u0026u=3aa6c1944134c93d3eb1500028e54826ce561f7f\u0026v=4", | |
| "label": "Lead Security Engineer", | |
| "location": { | |
| "city": "San Francisco", | |
| "countryCode": "US", | |
| "region": "California" | |
| }, |
This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777.
First, create a role that we can use for this demo. This role is in your own account.
aws iam create-role --role-name test-enumeration \
--assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'
| service_prefix | name | SOC | PCI | ISO | FedRAMP_High | FedRAMP_Moderate | HIPAA | HITRUST | IRAP | OSPAR | FINMA | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| a4b | Alexa for Business | true | ||||||||||
| access-analyzer | IAM Access Analyzer | |||||||||||
| account | AWS Accounts | true | true | true | true | true | true | true | true | true | ||
| acm | AWS Certificate Manager | true | true | true | true | true | true | true | true | true | ||
| acm-pca | AWS Certificate Manager Private Certificate Authority | |||||||||||
| activate | AWS Activate | |||||||||||
| airflow | Amazon Managed Workflows for Apache Airflow | |||||||||||
| amplify | AWS Amplify | true | true | true | true | true | true | |||||
| amplifybackend | AWS Amplify Admin | true | true | true | true | true | true |
| #!/usr/bin/env python3 | |
| # git clones a repository into $HOME/Code/github.com/username/repository and then open it in Pycharm, all in one command | |
| # Example: | |
| """ | |
| git_clone_open_in_pycharm.py -u git@github.com:pyupio/pyup.git | |
| # This will create $HOME/Code/github.com/username/repository | |
| """ | |
| import os | |
| import subprocess | |
| import argparse |
go list std | tr -d "\[|\]" | tr " " "\n" | sort -u > std-library
go list -f {{.Deps}} | tr -d "\[|\]" | tr " " "\n" | sort -u > all-dependencies
sort std-library std-library all-dependencies | uniq -uOthers:
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "PreventSelfManagedImages", | |
| "Action": [ | |
| "ecr:BatchDeleteImage", | |
| "ecr:CompleteLayerUpload", | |
| "ecr:Create*", | |
| "ecr:Delete*", |
| #!/usr/bin/env bash | |
| for sub in `az account list | jq -r '.[].id'`; do \ | |
| for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \ | |
| az group delete --name ${rg} --subscription $sub --no-wait --yes; \ | |
| done; done; |
| resource "null_resource" "nuke" { | |
| # Because we set this to timestamp, it *always* runs :D | |
| triggers = { | |
| party_like_its_jan_1_1970 = timestamp() | |
| } | |
| provisioner "local-exec" { | |
| # Pseudocode for some bash magic that: | |
| # 1. gets a list of all subscriptions | |
| # 2. For each subscription, list the resource groups |
| mode: crud | |
| name: 'ServerlessAppDeployAutomationUser' | |
| # Specify resource ARNs | |
| read: | |
| - 'arn:aws:execute-api:*:*:*/*/*/*' | |
| - 'arn:aws:lambda:*:*:function:cloudsplaining-*' | |
| - 'arn:aws:s3:::cloudsplaining-serverless-*/*' | |
| - 'arn:aws:cloudfront::*:distribution/mydistributionid' | |
| write: | |
| - 'arn:aws:execute-api:*:*:*/*/*/*' |