search

duo-labs / cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
BSD 3-Clause "New" or "Revised" License
884 stars 111 forks source link

Redo IAM <-> API translation #21

Open 0xdabbad00 opened 6 years ago

0xdabbad00 commented 6 years ago

I've learned a lot more about IAM vs API naming since the initial development of CloudTracker and recorded those here: https://summitroute.com/blog/2018/06/28/aws_iam_vs_api_vs_cloudtrail/

I should download the list of IAM privileges from the Policy Generator and the list of API calls and make a giant dictionary. Additionally Will Bengtson has mentioned to me he has a way of generating the CloudTrail logs for all of the calls to ensure the naming is accurate between all 3 places. This should probably just look like:

{
  api: '',
  cloudtrail: '',
  iam: '',
  data = False
}

Where data would mean whether or not you need data level logging turned on.

0xdabbad00 commented 5 years ago

This issue is mostly dependent on https://github.com/willbengtson/trailblazer-aws/issues/2

0xdabbad00 commented 5 years ago

Some of this is also currently broken, for example for S3 if a user has s3:* and has not called ListBuckets, you end up with: ? s3:listallmybuckets, which is wrong as that action is recorded, so it should be - s3:listallmybuckets. If they have used that call, then the results show up correctly as s3:listallmybuckets