CloudTracker Output

[Subham-Sarkar-grokr]

Having an issue with the CloudTracker output. According to the documentation CloudTracker shows a diff of the privileges granted vs used. The symbols mean the following: "No symbol" means this privilege is used, so leave it as is.

• A minus sign means the privilege was granted, but not used, so you should remove it. ? A question mark means the privilige was granted, but it is unknown if it was used because it is not recorded in CloudTrail.
  • A plus sign means the privilege was not granted, but was used. The only way this is possible is if the privilege was previously granted, used, and then removed, so you may want to add that privilege back.

I just needed to understand something about the output. For eg, the output to check the privileges for "X" role, lets say I got "+ iam:createrole" which means that privilege was previously granted and used but later removed, according to the documentation. But the "X" role has the permission to create roles, so the output should have been "no symbol" instead of "+" to iam:createrole. Am i right? Can anyone clarify this?

[0xdabbad00]

The situation you are describing sounds like there is potentially a bug in CloudTracker if true. CloudTracker does have issues with figuring out the translation between some IAM privilege names and the action recorded in CloudTrail (for example the privilege s3:ListAllMyBuckets correlates to the API and CloudTrail recorded action s3:ListBuckets). The privilege and corresponding action for iam:CreateRole should be the same though, so that shouldn't be a problem.

[Subham-Sarkar-grokr]

Yes, if a privilege is allowed for the role and it is been used, the CloudTracker distinguishes it with a "no symbol" whereas if it is not allowed yet being used it comes under the "+" (plus) symbol category. In my case, not only for iam:CreateRole but there were many other actions which were allowed and used but the CloudTracker tracks it as "+" (plus) symbol which should not be the case, as it is clear that it should be tracked with "no symbol" in its output.

The "-" (minus) symbols were accurate though. Its the "+" (plus) and "no symbol" that I am concerned about in its output. Most of the actions which were allowed and used were tracked with "+" symbol. This is the issue I am facing with it.

[0xdabbad00]

It sounds like something is wrong. My guess is the IAM policy data you have is incorrect somehow.

[Subham-Sarkar-grokr]

We are using this aws cli command "get-account-authorization-details" to get a copy of the IAM data right. It is correct.

[4patelr]

I am having the same issue with the "+" showing up even though the Role has the IAM permission. I believe it is related to a mismatch of what is in CloudTrail vs the permission on the policy. For instance, s3:putbucketencryption is reported in CloudTrail and the IAM Permission is s3:PutEncryptionConfiguration