Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2024-11-22 02:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improved on evaluate-iam-role.sh

Browse Source
This commit is contained in:
mgeeky 2019-12-05 17:58:18 +01:00
parent a98678255a
commit c2a067146a
1 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
clouds/aws/evaluate-iam-role.sh
View File

@ -47,6 +47,7 @@ IFS=$'\n'
attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $ROLE_NAME | jq -r '.AttachedPolicies[].PolicyArn')) attached_role_policies=($(aws --profile $PROFILE iam list-attached-role-policies --role-name $ROLE_NAME | jq -r '.AttachedPolicies[].PolicyArn'))
dangerous_permissions=() dangerous_permissions=()
all_perms=()
for policy in "${attached_role_policies[@]}" ; do for policy in "${attached_role_policies[@]}" ; do
echo -e "\n=============== Attached Policy Arn: $policy ===============" echo -e "\n=============== Attached Policy Arn: $policy ==============="
@ -56,11 +57,10 @@ for policy in "${attached_role_policies[@]}" ; do
policy_version=$(aws --profile $PROFILE iam get-policy-version --policy-arn $policy --version-id $version_id) policy_version=$(aws --profile $PROFILE iam get-policy-version --policy-arn $policy --version-id $version_id)
echo "$policy_version" echo "$policy_version"
permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[].Action | if type=="string" then [.] else . end | .[]')) permissions=($(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[] | select(.Effect=="Allow") | if .Action|type=="string" then [.Action] else .Action end | .[]'))
effect=$(echo "$policy_version" | jq -r '.PolicyVersion.Document.Statement[].Effect' )
if [[ "$effect" == "Allow" ]]; then
for perm in "${permissions[@]}" ; do for perm in "${permissions[@]}" ; do
all_perms+=("$perm")
for dangperm in "${known_dangerous_permissions[@]}"; do for dangperm in "${known_dangerous_permissions[@]}"; do
if echo "$dangperm" | grep -iq $perm ; then if echo "$dangperm" | grep -iq $perm ; then
dangerous_permissions+=("$perm") dangerous_permissions+=("$perm")
@ -69,15 +69,25 @@ for policy in "${attached_role_policies[@]}" ; do
fi fi
done done
done done
fi
done done
if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then if [[ ${#all_perms[@]} -gt 0 ]]; then
echo -e "\n\n=============== All permissions granted to this role ==============="
sorted=($(echo "${all_perms[@]}" | tr ' ' '\n' | sort -u ))
for perm in "${sorted[@]}"; do
echo -e "\t$perm"
done
if [[ ${#dangerous_permissions[@]} -gt 0 ]]; then
echo -e "\n\n=============== Detected dangerous permissions granted ===============" echo -e "\n\n=============== Detected dangerous permissions granted ==============="
sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u )) sorted=($(echo "${dangerous_permissions[@]}" | tr ' ' '\n' | sort -u ))
for dangperm in "${sorted[@]}"; do for dangperm in "${sorted[@]}"; do
echo -e "\t$dangperm" echo -e "\t$dangperm"
done done
else else
echo -e "\nNo dangerous permissions were found to be granted." echo -e "\nNo dangerous permissions were found to be granted."
fi
else
echo -e "\nNo permissions were found to be granted."
fi fi