From c2a067146aebddca678f5c36b16a1278d23328b7 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 5 Dec 2019 17:58:18 +0100 Subject: [PATCH] Improved on evaluate-iam-role.sh --- clouds/aws/evaluate-iam-role.sh | 46 ++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/clouds/aws/evaluate-iam-role.sh b/clouds/aws/evaluate-iam-role.sh index c7975cd..821c6a2 100755 --- a/clouds/aws/evaluate-iam-role.sh +++ b/clouds/aws/evaluate-iam-role.sh @@ -47,6 +47,7 @@ IFS=$'\n' attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $ROLE_NAME | jq -r '.AttachedPolicies[].PolicyArn')) dangerous_permissions=() +all_perms=() for policy in "${attached_role_policies[@]}" ; do echo -e "\n=============== Attached Policy Arn: $policy ===============" @@ -56,28 +57,37 @@ for policy in "${attached_role_policies[@]}" ; do policy_version=$(aws --profile $PROFILE iam get-policy-version --policy-arn $policy --version-id $version_id) echo "$policy_version" - permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[].Action | if type=="string" then [.] else . end | .[]')) - effect=$(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[].Effect' ) + permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[] | select(.Effect=="Allow") | if .Action|type=="string" then [.Action] else .Action end | .[]')) - if [[ "$effect" == "Allow" ]]; then - for perm in "${permissions[@]}" ; do - for dangperm in "${known_dangerous_permissions[@]}"; do - if echo "$dangperm" | grep -iq $perm ; then - dangerous_permissions+=("$perm") - elif echo "$perm" | grep -qP "\w+:\*"; then - dangerous_permissions+=("$perm") - fi - done + for perm in "${permissions[@]}" ; do + all_perms+=("$perm") + for dangperm in "${known_dangerous_permissions[@]}"; do + if echo "$dangperm" | grep -iq $perm ; then + dangerous_permissions+=("$perm") + elif echo "$perm" | grep -qP "\w+:\*"; then + dangerous_permissions+=("$perm") + fi done - fi + done done -if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then - echo -e "\n\n=============== Detected dangerous permissions granted ===============" - sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u )) - for dangperm in "${sorted[@]}"; do - echo -e "\t$dangperm" +if [[ ${#all_perms[@]} -gt 0 ]]; then + echo -e "\n\n=============== All permissions granted to this role ===============" + sorted=($(echo "${all_perms[@]}" | tr ' ' '\n' | sort -u )) + for perm in "${sorted[@]}"; do + echo -e "\t$perm" done + + if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then + echo -e "\n\n=============== Detected dangerous permissions granted ===============" + sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u )) + for dangperm in "${sorted[@]}"; do + echo -e "\t$dangperm" + done + else + echo -e "\nNo dangerous permissions were found to be granted." + fi else - echo -e "\nNo dangerous permissions were found to be granted." + echo -e "\nNo permissions were found to be granted." fi +