Closed Anon-Exploiter closed 3 years ago
Hi,
I'm trying to run AirIAM on an AWS account. Getting the following exception:
(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs] └─$ airiam find_unused -p airiam ____ __ _____ ____ __ __ / __ \ |__| _ ____|_ _| / __ \ | \ / | / / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| | / /____\ \ | | | / | | / /____\ \ | | \ \/ / | | / ______ \_| |_| | _| |_ / ______ \ | \ / | | /_/ \_\_____|__| |_____|/_/ \_\_| \/ |_| v0.1.50 AirIAM - Least privilege AWS IAM Terraformer To continuously scan configurations, try the Bridgecrew free community plan. https://www.bridgecrew.io INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials Getting all IAM configurations for account 000000000000 Getting IAM credential report 12 of 15: Generating report for arn:aws:iam::000000000000:role/OrganizationAccountAccessRoleTraceback (most recent call last): File "/home/umar_0x01/envs/forAirIAM/bin/airiam", line 5, in <module> run() File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/main.py", line 29, in run runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command) File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 44, in find_unused iam_report = RuntimeIamScanner(logger, profile, refresh_cache).evaluate_runtime_iam(True, command) File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 38, in evaluate_runtime_iam iam_data = self._get_data_from_aws(account_id, list_unused) File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 67, in _get_data_from_aws last_accessed_map = self._generate_last_access(iam, entity_arn_list) File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 163, in _generate_last_access raise error File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 155, in _generate_last_access job_id = iam.generate_service_last_accessed_details(Arn=arn)['JobId'] File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GenerateServiceLastAccessedDetails operation: User: arn:aws:iam::000000000000:user/airiam is not authorized to perform: iam:GenerateServiceLastAccessedDetails on resource: arn:aws:iam::000000000000:role/OrganizationAccountAccessRole with an explicit deny
(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs] └─$ cat /etc/*release 1 ⨯ DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS" NAME="Ubuntu" VERSION="20.04.2 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.2 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
Closing because of no response. I think a simple try except pass will fix this.
Hi,
I'm trying to run AirIAM on an AWS account. Getting the following exception:
Environment: WSL2
Policies Attached: