Create a Neo4J graph of users and roles trust policies within an AWS Organization.

Overview

AWS_ORG_MAPPER

This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and roles in the organization and map their trust relations.

The graph can be explored using Neo4j desktop or web client. Below you can find some sample queries that can help extract useful information from the graph.

Using this tool users can discover how role trusts are delegated in the organization and can help identify improve account isolation within the organization. For example, if there exists a role assumption path between two accounts the graph will be able to identify which roles and users are used to connect two accounts.

Requirements

  • Neo4j
  • boto3
  • AWS SSO Account
  • py2neo

How to Use

  1. Install the Python3 requirements with pip3 install -r requirements.txt

  2. Install Neo4j and add the connection details to config.py.

  3. Configure the SSO organization URL in config.py.

  4. Run the tool with python3 mapper.py

If there is no token file stored in the directory the SSO auth flow will start. The instructions and device link will be printed to the console. After auth, the SSO token will be saved to ./token. If you wish to run the tool on a new org make sure to delete the old ./token file.

The tool will attempt to use the first valid role associated with the SSO account. If there is access denied the tool will move the next available role within the account.

Once completed the graph is generated in Neo4j. Using the sample queries below or designed your own by referencing the structure in ## Graph Structure you can begin to extract information about the organization.

Notes

Does not currently support SAML Providers or SAML conditions.

I am currently not planning on implementing an interface for this tool as it serves more as an import tool for neo4j. I will be continuing to implement a better interface for the CLI to give the user more control over the execution.

Example Queries

  • List all Accounts

    MATCH (a:Account) RETURN A

  • List all Roles

    MATCH (r:Role) RETURN R

  • List all users

    MATCH (u:User) RETURN u

  • Count number of cross-account relations

    MATCH p=(A:Account)-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account) RETURN COUNT(p)

  • Find all paths between account A and account B

    MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account {accountId: "222222222"}) RETURN p

  • Find all routes from account A to any account

    MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account}) RETURN p

  • Find all roles that trust ":root" of an account.

    MATCH p=(a:Account)-[:ASSUMES]->(:Role) RETURN p

  • Find all roles assumed by a specific service.

    MATCH p=(:Service {Service: "lambda"})-[:ASSUMES]->(r:Role) WHERE r.accountID = "11111111111" RETURN p

Graph Structure

Nodes and Attributes

  • Role

    • Arn
    • RoleId
    • RoleName
    • accountId
  • Account

    • accountId
    • accountName
    • emailAddress
  • User

    • Arn
    • UserName
    • accountId
  • Service

    • Service (lambda.amazonaws.com)

Node Relations

  • Account -[OWNS]->(Role/User)
  • Account -[ASSUMES]-> (Role)
  • Role -[ASSUMES]-> (Role)
  • User -[ASSUMES]-> (Role)
  • Service -[ASSUMES]-> (Role)

Acknowledgment

Thanks to Christophe Tafani-Dereeper for the sso device auth code. Their code can be found here.

https://github.com/christophetd/aws-sso-device-code-authentication

You might also like...
Auto Join: A GitHub action script to automatically invite everyone to the organization who comment at the issue page.

Auto Invite To Org By Issue Comment A GitHub action script to automatically invite everyone to the organization who comment at the issue page. What is

Dumps to CSV all the resources in an organization's member accounts

AWS Org Inventory Dumps to CSV all the resources in an organization's member accounts. Set your environment's AWS_PROFILE and AWS_DEFAULT_REGION varia

Simple tool to gather domains from crt.sh using the organization name
Simple tool to gather domains from crt.sh using the organization name

Domain Collector: _ _ ___ _ _ _ __| | ___ _ __ ___ __ _(_)_ __ / __\___ | |

A Discord BOT that uses Google Sheets for storing the roles and permissions of a discord server.

Discord Role Manager Bot Role Manager is a discord BOT that utilizes Google Sheets for the organization of a server's hierarchy and permissions. Detai

A minimalistic, modern Discord bot for roles and polls using dropdowns
A minimalistic, modern Discord bot for roles and polls using dropdowns

DropBot A minimalistic, modern Discord bot for roles and polls using dropdowns Made by ThatOneCalculator Technologies used Instructions Type /, and na

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Compares and analyzes GCP IAM roles.

gcp-iam-analyzer I wrote this to help in my day to day working in GCP. A lot of the time I am doing role comparisons to see which role has more permis

This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

Simple script to extract useful informations from the combo BloodHound + Neo4j

bloodhound-quickwin Simple script to extract useful informations from the combo BloodHound + Neo4j. Can help to choose a target. Prerequisites python3

Comments
  • config.py

    config.py

    looking at your awesome repo, and trying to implement it, I can't see how to continue with stage 2: 'add the connection details to config.py' where is this file from ?

    opened by orenbenya 4
  • Needed permissions for SSO and index error

    Needed permissions for SSO and index error

    Now SSO is configured, I'm running the code and got these errors: What permission is needed for the SSO groups to be be able to run it successfully ? The First role have 'Permissions boundary' attached to it - does it matter for the solution if it is used or not ? Is the 'index out of range' error an issue ? shouldn't the process search for all valid\available roles to be able to proceed? Many Thanks!

    Listing ACCOUNTID using role, AWSReadOnlyAccess
    FAILED to create trust: arn:aws:iam::ACCOUNTID-A:role/Found-Role-name, AWS, AlphaNumeric-string   
    list index out of range   
    FAILED to create trust: arn:aws:iam::ACCOUNTID-B:role/Found-Role-name, AWS, AlphaNumeric-string   
    list index out of range   
    Completed (1/2)   
    FAILED to create trust: arn:aws:iam::ACCOUNTID-A:role/Found-Role-name, AWS, AlphaNumeric-string   
    list index out of range   
    Completed (2/2)
    
    opened by orenbenya 3
Owner
Ruse
Ruse
Create a roles overview page for all Ansible roles/playbooks in Gitlab

ansible-create-roles-overview Overview The script ./create_roles_overview.py queries a Gitlab API for Ansible roles and playbooks. It will iterate ove

null 2 Oct 11, 2021
AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets

AWS External Account Scanner Xenos, is Greek for stranger. AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an

AirWalk 57 Nov 7, 2022
DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

CRED 71 Dec 29, 2022
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

✅ Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

Victor GRENU 41 Dec 12, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Trust-minimized Bitcoin wallet

coldcore Trust-minimized, airgapped Bitcoin management This is experimental software. Wait for a formal release before use with real funds. A trust-mi

James O'Beirne 121 Jan 1, 2023
Ghostbuster - Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts

Table of Contents Table of Contents Ghostbuster The problem Project Features Ins

Assetnote 182 Dec 24, 2022
Python linting made easy. Also a casual yet honorific way to address individuals who have entered an organization prior to you.

pysen What is pysen? pysen aims to provide a unified platform to configure and run day-to-day development tools. We envision the following scenarios i

Preferred Networks, Inc. 452 Jan 5, 2023