mgeeky-Penetration-Testing-.../clouds/aws/evaluate-iam-role.sh

94 lines
2.6 KiB
Bash
Raw Normal View History

2019-12-03 16:34:06 +01:00
#!/bin/bash
if [ $# -ne 2 ]; then
echo "Usage: evaluate-iam-role.sh <profile> <role-name>"
exit 1
fi
PROFILE=$1
ROLE_NAME=$2
known_dangerous_permissions=(
"*:*"
2019-12-03 16:34:06 +01:00
"iam:CreatePolicyVersion"
"iam:SetDefaultPolicyVersion"
"iam:PassRole"
"ec2:RunInstances"
"iam:CreateAccessKey"
"iam:CreateLoginProfile"
"iam:UpdateLoginProfile"
"iam:AttachUserPolicy"
"iam:AttachGroupPolicy"
"iam:AttachRolePolicy"
"iam:PutUserPolicy"
"iam:PutGroupPolicy"
"iam:PutRolePolicy"
"iam:AddUserToGroup"
"iam:UpdateAssumeRolePolicy"
"sts:AssumeRole"
"iam:PassRole"
"lambda:CreateFunction"
"lambda:InvokeFunction"
"lambda:CreateEventSourceMapping"
"lambda:UpdateFunctionCode"
"glue:CreateDevEndpoint"
"glue:UpdateDevEndpoint"
"cloudformation:CreateStack"
"datapipeline:CreatePipeline"
"datapipeline:PutPipelineDefinition"
)
role_policy=$(aws --profile $PROFILE iam get-role --role-name $ROLE_NAME)
echo -e "=============== Role: $ROLE_NAME ==============="
echo "$role_policy"
IFS=$'\n'
attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $ROLE_NAME | jq -r '.AttachedPolicies[].PolicyArn'))
dangerous_permissions=()
2019-12-05 17:58:18 +01:00
all_perms=()
2019-12-03 16:34:06 +01:00
for policy in "${attached_role_policies[@]}" ; do
echo -e "\n=============== Attached Policy Arn: $policy ==============="
version_id=$(aws --profile $PROFILE iam get-policy --policy-arn $policy | jq -r '.Policy.DefaultVersionId')
policy_version=$(aws --profile $PROFILE iam get-policy-version --policy-arn $policy --version-id $version_id)
echo "$policy_version"
2019-12-05 17:58:18 +01:00
permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[] | select(.Effect=="Allow") | if .Action|type=="string" then [.Action] else .Action end | .[]'))
2019-12-03 16:34:06 +01:00
2019-12-05 17:58:18 +01:00
for perm in "${permissions[@]}" ; do
all_perms+=("$perm")
for dangperm in "${known_dangerous_permissions[@]}"; do
if echo "$dangperm" | grep -iq $perm ; then
dangerous_permissions+=("$perm")
elif echo "$perm" | grep -qP "\w+:\*"; then
dangerous_permissions+=("$perm")
fi
2019-12-03 16:34:06 +01:00
done
2019-12-05 17:58:18 +01:00
done
2019-12-03 16:34:06 +01:00
done
2019-12-05 17:58:18 +01:00
if [[ ${#all_perms[@]} -gt 0 ]]; then
echo -e "\n\n=============== All permissions granted to this role ==============="
sorted=($(echo "${all_perms[@]}" | tr ' ' '\n' | sort -u ))
for perm in "${sorted[@]}"; do
echo -e "\t$perm"
2019-12-03 16:34:06 +01:00
done
2019-12-05 17:58:18 +01:00
if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then
echo -e "\n\n=============== Detected dangerous permissions granted ==============="
sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u ))
for dangperm in "${sorted[@]}"; do
echo -e "\t$dangperm"
done
else
echo -e "\nNo dangerous permissions were found to be granted."
fi
2019-12-03 16:34:06 +01:00
else
2019-12-05 17:58:18 +01:00
echo -e "\nNo permissions were found to be granted."
2019-12-03 16:34:06 +01:00
fi
2019-12-05 17:58:18 +01:00