For find_admins, identify the resources associated with any IAM roles found

[TheFlexican]

Check iam roles assigned to public facing ec2 instances, and check what access these roles provides. Good example of why to check for this is the Capitol One breach.

[0xdabbad00]

I don't understand what this is requesting to be done. The audit command will list as findings any IAM roles with compute resources as trusted. The find_admins command can find all principals with specific privileges.

[TheFlexican]

Sorry for being a bit vague :) I hope I can explain myself a bit better.

Let's say I have a EC2 running with some vulnerable application that when exploited would allow for RCE. This EC2 has a role assigned that allows full access to S3. I think it would be nice to know about these kind of configurations, and report about them. But if I understand correctly, cloudmapper already reports on IAM roles with compute resources assigned to them, you would then manually have to check if this is EC2 is exposed to the public ? And by manually checking, i mean using the public command.

[0xdabbad00]

Yes, with find_admins you can tell it to find all principals with just the s3:ListAllMyBuckets privilege (not actually admins). This would return a list of IAM roles and users. You would then have to manually inspect these to determine which are applied to EC2s. It would be possible to tell you which of these IAM roles can be associated with EC2s (fairly easy improvement), and further could be possible to tell you info about the EC2s that these roles may have been applied to (somewhat harder improvement, mostly due to trying to figure out which info to show you, such as do I list the tags for the instances?)

[TheFlexican]

I think listing the instance name, tags(maybe option to specify which tag to look for? otherwise just list them all) and region should be sufficient to investigate further on the finding. I think it would be a great feature !

[0xdabbad00]

:thumbsup: I've renamed this task so I can track it better