2019-12-03 16:34:06 +01:00
|
|
|
#!/bin/bash
|
2019-12-06 13:28:08 +01:00
|
|
|
#
|
|
|
|
# Evaluates specified AWS IAM Role or Policy given their name/Arn.
|
|
|
|
# Dumps all of the attached policies in case of Role and all of defined
|
|
|
|
# policy statements. Then goes through allowed permissions to pick all of them out.
|
|
|
|
# Finally, checks every allowed permission against a list of known troublesome ones.
|
|
|
|
#
|
|
|
|
# Mariusz B., mgeeky '19, <mb@binary-offensive.com>
|
|
|
|
# v0.1
|
|
|
|
#
|
|
|
|
|
|
|
|
if [ $# -lt 2 ] ; then
|
|
|
|
echo "Usage: evaluate-iam-role.sh [-v] <profile> <role-name|policy-arn>"
|
|
|
|
echo
|
|
|
|
echo -e "-v\t\t\tVerbose mode. Dumps full roles/policies contents."
|
|
|
|
echo -e "profile\t\t\tAWS credentials profile name."
|
|
|
|
echo -e "role-name|policy-name\tEither IAM Role name or Policy Arn to evaluate."
|
|
|
|
echo -e "\t\t\tIf 'all' was specified, will evaluate ALL used IAM Roles"
|
2019-12-03 16:34:06 +01:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
VERBOSE=0
|
|
|
|
if [[ "$1" == "-v" ]]; then
|
|
|
|
VERBOSE=1
|
|
|
|
shift
|
|
|
|
fi
|
|
|
|
|
2019-12-03 16:34:06 +01:00
|
|
|
PROFILE=$1
|
|
|
|
ROLE_NAME=$2
|
|
|
|
|
2019-12-05 19:03:29 +01:00
|
|
|
known_potentially_dangerous_permissions=(
|
2019-12-06 13:28:08 +01:00
|
|
|
".+:\*"
|
|
|
|
".*:Add.*"
|
|
|
|
".*:Attach.*"
|
|
|
|
".*:Batch.*"
|
|
|
|
".*:Change.*"
|
|
|
|
".*:Command.*"
|
|
|
|
".*:Create.*"
|
|
|
|
".*:Delete.*"
|
|
|
|
".*:Execute.*"
|
|
|
|
".*:Invoke.*"
|
|
|
|
".*:Modify.*"
|
|
|
|
".*:Put.*"
|
|
|
|
".*:Reboot.*"
|
|
|
|
".*:Register.*"
|
|
|
|
".*:Replace.*"
|
|
|
|
".*:Run.*"
|
|
|
|
".*:Send.*"
|
|
|
|
".*:Set.*"
|
|
|
|
".*:Start.*"
|
|
|
|
".*:Update.*"
|
2019-12-05 19:03:29 +01:00
|
|
|
)
|
|
|
|
|
2019-12-03 16:34:06 +01:00
|
|
|
known_dangerous_permissions=(
|
2019-12-06 09:57:53 +01:00
|
|
|
"\*:\*"
|
2019-12-06 13:28:08 +01:00
|
|
|
"cloudformation:CreateStack"
|
|
|
|
"datapipeline:CreatePipeline"
|
|
|
|
"datapipeline:PutPipelineDefinition"
|
2019-12-03 16:34:06 +01:00
|
|
|
"ec2:RunInstances"
|
2019-12-06 13:28:08 +01:00
|
|
|
"glue:CreateDevEndpoint"
|
|
|
|
"glue:UpdateDevEndpoint"
|
|
|
|
"iam:\*"
|
|
|
|
"iam:AddUserToGroup"
|
2019-12-03 16:34:06 +01:00
|
|
|
"iam:AttachGroupPolicy"
|
|
|
|
"iam:AttachRolePolicy"
|
2019-12-06 13:28:08 +01:00
|
|
|
"iam:AttachUserPolicy"
|
|
|
|
"iam:CreateAccessKey"
|
|
|
|
"iam:CreateLoginProfile"
|
|
|
|
"iam:CreatePolicyVersion"
|
|
|
|
"iam:PassRole"
|
|
|
|
"iam:PassRole"
|
2019-12-03 16:34:06 +01:00
|
|
|
"iam:PutGroupPolicy"
|
|
|
|
"iam:PutRolePolicy"
|
2019-12-06 13:28:08 +01:00
|
|
|
"iam:PutUserPolicy"
|
|
|
|
"iam:SetDefaultPolicyVersion"
|
2019-12-03 16:34:06 +01:00
|
|
|
"iam:UpdateAssumeRolePolicy"
|
2019-12-06 13:28:08 +01:00
|
|
|
"iam:UpdateLoginProfile"
|
|
|
|
"lambda:CreateEventSourceMapping"
|
2019-12-03 16:34:06 +01:00
|
|
|
"lambda:CreateFunction"
|
|
|
|
"lambda:InvokeFunction"
|
|
|
|
"lambda:UpdateFunctionCode"
|
2019-12-06 13:28:08 +01:00
|
|
|
"sts:AssumeRole"
|
2019-12-03 16:34:06 +01:00
|
|
|
)
|
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
known_dangerous_aws_managed_policies=(
|
|
|
|
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
|
|
|
|
"arn:aws:iam::aws:policy/service-role/AmazonMachineLearningRoleforRedshiftDataSource"
|
|
|
|
)
|
2019-12-03 16:34:06 +01:00
|
|
|
|
|
|
|
dangerous_permissions=()
|
2019-12-05 19:03:29 +01:00
|
|
|
potentially_dangerous_permissions=()
|
2019-12-05 17:58:18 +01:00
|
|
|
all_perms=()
|
2019-12-06 13:28:08 +01:00
|
|
|
used_bad_policies=()
|
2019-12-03 16:34:06 +01:00
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
function examine_policy() {
|
|
|
|
policy=$1
|
|
|
|
role_name=$2
|
2019-12-03 16:34:06 +01:00
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
out=$(aws --profile $PROFILE iam get-policy --policy-arn $policy)
|
|
|
|
version_id=$(echo "$out" | jq -r '.Policy.DefaultVersionId')
|
|
|
|
policy_name=$(echo "$out" | jq -r '.Policy.PolicyName')
|
2019-12-03 16:34:06 +01:00
|
|
|
|
|
|
|
policy_version=$(aws --profile $PROFILE iam get-policy-version --policy-arn $policy --version-id $version_id)
|
2019-12-06 13:28:08 +01:00
|
|
|
|
|
|
|
if [[ $VERBOSE == 1 ]]; then
|
|
|
|
echo -e "\n------------[ Policy Arn: $policy ]------------"
|
|
|
|
echo "$policy_version"
|
|
|
|
fi
|
2019-12-03 16:34:06 +01:00
|
|
|
|
2019-12-05 17:58:18 +01:00
|
|
|
permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[] | select(.Effect=="Allow") | if .Action|type=="string" then [.Action] else .Action end | .[]'))
|
2019-12-03 16:34:06 +01:00
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
path=""
|
|
|
|
if [[ "$role_name" != "" ]]; then
|
|
|
|
path="$role_name.$policy_name."
|
|
|
|
else
|
|
|
|
path="$policy_name."
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ "$ROLE_NAME" != "all" ]] ; then
|
|
|
|
path=""
|
|
|
|
fi
|
|
|
|
|
|
|
|
for bad_policy in "${known_dangerous_aws_managed_policies[@]}"; do
|
|
|
|
if echo "$policy" | grep -iq "$bad_policy" ; then
|
|
|
|
used_bad_policies+=("$path$bad_policy")
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
2019-12-05 17:58:18 +01:00
|
|
|
for perm in "${permissions[@]}" ; do
|
2019-12-06 13:28:08 +01:00
|
|
|
permadd="$path$perm"
|
|
|
|
all_perms+=("$permadd")
|
|
|
|
|
|
|
|
for potdangperm in "${known_potentially_dangerous_permissions[@]}"; do
|
|
|
|
if [[ "$perm" == "iam:*" ]]; then continue ; fi
|
|
|
|
if echo "$perm" | grep -Piq "$potdangperm" ; then
|
|
|
|
potentially_dangerous_permissions+=("$permadd")
|
2019-12-05 19:03:29 +01:00
|
|
|
fi
|
|
|
|
done
|
2019-12-06 13:28:08 +01:00
|
|
|
|
|
|
|
for dangperm in "${known_dangerous_permissions[@]}"; do
|
|
|
|
if echo "$perm" | grep -iq "$dangperm" ; then
|
|
|
|
dangerous_permissions+=("$permadd")
|
2019-12-05 17:58:18 +01:00
|
|
|
fi
|
2019-12-03 16:34:06 +01:00
|
|
|
done
|
2019-12-05 17:58:18 +01:00
|
|
|
done
|
2019-12-06 13:28:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
function examine_role() {
|
|
|
|
role_name=$1
|
|
|
|
|
|
|
|
role_policy=$(aws --profile $PROFILE iam get-role --role-name $role_name)
|
|
|
|
|
|
|
|
if [[ $VERBOSE == 1 ]]; then
|
|
|
|
echo -e "------------[ Role: $role_name ]------------"
|
|
|
|
echo "$role_policy"
|
|
|
|
fi
|
|
|
|
|
|
|
|
attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $role_name | jq -r '.AttachedPolicies[].PolicyArn'))
|
|
|
|
|
|
|
|
if [[ $VERBOSE == 1 ]]; then
|
|
|
|
echo
|
|
|
|
fi
|
|
|
|
echo "[+] Role ($role_name) has following policies attached:"
|
|
|
|
for policy in "${attached_role_policies[@]}" ; do
|
|
|
|
echo -e "\t- $policy"
|
|
|
|
done
|
|
|
|
|
|
|
|
if [[ $VERBOSE == 1 ]]; then
|
|
|
|
echo
|
|
|
|
fi
|
|
|
|
|
|
|
|
for policy in "${attached_role_policies[@]}" ; do
|
|
|
|
examine_policy $policy $role_name
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
#------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
|
|
|
|
IFS=$'\n'
|
|
|
|
|
|
|
|
if [[ "$ROLE_NAME" == "all" ]]; then
|
|
|
|
echo "[+] Evaluating ALL used IAM Roles"
|
|
|
|
echo
|
|
|
|
|
|
|
|
out=($(aws --profile awl iam list-roles --query 'Roles[*].RoleName' --output text | tr '\t' '\n'))
|
|
|
|
|
|
|
|
for role in "${out[@]}"; do
|
|
|
|
examine_role $role
|
|
|
|
done
|
|
|
|
|
|
|
|
elif echo "$ROLE_NAME" | grep -q "arn:aws:iam:" && echo "$ROLE_NAME" | grep -q ":policy/" ; then
|
|
|
|
echo "[+] Working on specified Policy Arn: $ROLE_NAME"
|
|
|
|
echo
|
|
|
|
|
|
|
|
examine_policy $ROLE_NAME
|
|
|
|
else
|
|
|
|
echo "[+] Working on specified Role: $ROLE_NAME"
|
|
|
|
echo
|
|
|
|
|
|
|
|
examine_role $ROLE_NAME
|
|
|
|
fi
|
|
|
|
|
|
|
|
#------------------------------------------------------------------
|
|
|
|
|
|
|
|
if [[ ${#used_bad_policies[@]} -gt 0 ]]; then
|
|
|
|
echo -e "\n\n[-] =============== Found AWS Managed Insecure Policies in Use ==============="
|
|
|
|
echo
|
|
|
|
sorted=($(echo "${used_bad_policies[@]}" | tr ' ' '\n' | sort -u ))
|
|
|
|
for pol in "${sorted[@]}"; do
|
|
|
|
echo -e "\t$pol"
|
|
|
|
done
|
|
|
|
fi
|
2019-12-03 16:34:06 +01:00
|
|
|
|
2019-12-05 17:58:18 +01:00
|
|
|
if [[ ${#all_perms[@]} -gt 0 ]]; then
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\n\n[+] =============== Permissions granted ==============="
|
|
|
|
echo
|
2019-12-05 17:58:18 +01:00
|
|
|
sorted=($(echo "${all_perms[@]}" | tr ' ' '\n' | sort -u ))
|
|
|
|
for perm in "${sorted[@]}"; do
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\t$perm" | sed -r 's/\./ -> /g'
|
2019-12-03 16:34:06 +01:00
|
|
|
done
|
2019-12-05 17:58:18 +01:00
|
|
|
|
2019-12-05 19:03:29 +01:00
|
|
|
if [[ ${#potentially_dangerous_permissions[@]} -gt 0 ]]; then
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\n\n[-] =============== Detected POTENTIALLY dangerous permissions granted ==============="
|
|
|
|
echo
|
2019-12-05 19:03:29 +01:00
|
|
|
sorted=($(echo "${potentially_dangerous_permissions[@]}" | tr ' ' '\n' | sort -u ))
|
|
|
|
for dangperm in "${sorted[@]}"; do
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\t$dangperm" | sed -r 's/\./ -> /g'
|
2019-12-05 19:03:29 +01:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2019-12-05 17:58:18 +01:00
|
|
|
if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\n\n[!] =============== Detected DANGEROUS permissions granted ==============="
|
|
|
|
echo
|
2019-12-05 17:58:18 +01:00
|
|
|
sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u ))
|
|
|
|
for dangperm in "${sorted[@]}"; do
|
2019-12-06 13:28:08 +01:00
|
|
|
echo -e "\t$dangperm" | sed -r 's/\./ -> /g'
|
2019-12-05 17:58:18 +01:00
|
|
|
done
|
|
|
|
fi
|
2019-12-03 16:34:06 +01:00
|
|
|
else
|
2019-12-05 17:58:18 +01:00
|
|
|
echo -e "\nNo permissions were found to be granted."
|
2019-12-03 16:34:06 +01:00
|
|
|
fi
|
2019-12-05 17:58:18 +01:00
|
|
|
|
2019-12-06 13:28:08 +01:00
|
|
|
echo
|