[Bug] Script stops execution on an explicit deny - OrganizationAccountAccessRole

[Anon-Exploiter]

Hi,

I'm trying to run AirIAM on an AWS account. Getting the following exception:

(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
└─$ airiam find_unused -p airiam

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.50

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Getting all IAM configurations for account 000000000000
Getting IAM credential report
12 of 15: Generating report for arn:aws:iam::000000000000:role/OrganizationAccountAccessRoleTraceback (most recent call last):
  File "/home/umar_0x01/envs/forAirIAM/bin/airiam", line 5, in <module>
    run()
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 44, in find_unused
    iam_report = RuntimeIamScanner(logger, profile, refresh_cache).evaluate_runtime_iam(True, command)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 38, in evaluate_runtime_iam
    iam_data = self._get_data_from_aws(account_id, list_unused)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 67, in _get_data_from_aws
    last_accessed_map = self._generate_last_access(iam, entity_arn_list)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 163, in _generate_last_access
    raise error
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 155, in _generate_last_access
    job_id = iam.generate_service_last_accessed_details(Arn=arn)['JobId']
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 386, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 705, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GenerateServiceLastAccessedDetails operation: User: arn:aws:iam::000000000000:user/airiam is not authorized to perform: iam:GenerateServiceLastAccessedDetails on resource: arn:aws:iam::000000000000:role/OrganizationAccountAccessRole with an explicit deny

Environment: WSL2

(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
└─$ cat /etc/*release                                                                                                                                                                                        1 ⨯
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Policies Attached:

• ReadOnlyAccess (only)

[Anon-Exploiter]

Closing because of no response. I think a simple try except pass will fix this.