Created
October 13, 2018 00:20
-
-
Save relotnek/d9fc32be9ae5658426c64e7951b30c28 to your computer and use it in GitHub Desktop.
Looks for cross account access in assumable roles using profiles in your aws credentials file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| # Use profiles that exist in your ~/.aws/credentials file | |
| # Add to the array with any additional profiles for this to work i.e. ["default","profile0","profile1"] etc. | |
| profiles = ["default"] | |
| assumable_accounts = {} | |
| assuming_accounts = [] | |
| # Iterate over Profiles | |
| for profile in profiles: | |
| dev = boto3.session.Session(profile_name=profile) | |
| print "*******************" | |
| print "ENUMERATING Profile" | |
| print "*******************" | |
| # Set the profile | |
| current_account = dev.client('sts').get_caller_identity().get('Account') | |
| print(profile + ":" + current_account) | |
| client = dev.client('iam', region_name="us-east-1") | |
| response = client.list_roles() | |
| # Get Roles that are Assumable by other AWS Accounts (Currently doesn't include those managed by SCP) | |
| roles = response.get("Roles") | |
| assumable_accounts[current_account] = [] | |
| print "___________________________________________________________________" | |
| print "Roles that can be Assumed by Other AWS Accounts:" | |
| print "___________________________________________________________________" | |
| for role in roles: | |
| if "AWS" in role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]: | |
| print(role["RoleId"] + "/" + role["RoleName"]) | |
| assumable_role = role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]["AWS"]+ "/" + role["RoleName"] | |
| assumable_accounts[current_account].append(assumable_role) | |
| print "**************************************************************" | |
| print "*Iteration on what can be assumed with the provided Profiles:*" | |
| print "**************************************************************" | |
| # Find out if your profiles can talk to each other and through what roles | |
| for account in assumable_accounts: | |
| print "___________________________________________________________________" | |
| print "ACCOUNT: " + account + " contains the following assumable accounts:" | |
| print "___________________________________________________________________" | |
| for role in assumable_accounts[account]: | |
| for search_account in assumable_accounts: | |
| if search_account in role: | |
| print "You have access to the " + search_account + " account which can be used to assume -> " + role | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment