Skip to content

IAM

Authentication

Tool Description
consoleme A web service that makes AWS IAM permissions and credential management easier for end-users and cloud administrators
AWSume A utility for easily assuming AWS IAM roles from the command line
key-conjurer Uses AWS STS to create temporary AWS API credentials for accessing our AWS infrastructure programmatically
leapp Leapp is the DevTool to access your cloud
iam-identity-center-team Open-source temporary elevated access solution for AWS IAM Identity Center
access
Temporary elevated access management (TEAM)

Policy Creation/Linting

Tool Description
Parliament AWS IAM Policy Linter
Policy Sentry
Action Hero
  • Sidecar style utility to assist with creating least privilege IAM Policies for AWS
  • Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions
Effective Actions for IAM
  • After you have input your policy JSON, you will see a list of allowed actions by resource; permissions in AWS require an explicit allow to be permitted
iamlive Generate basic AWS IAM policies using client-side monitoring of calls made from the AWS CLI or SDKs
iamfast A VS Code plug-in that generates AWS IAM policies from your code
pike Pike is a tool for determining the permissions or policy required for IAC code
AWS IAM Policy Generator A tool which helps crafting AWS IAM Policies and converting them to IaC
iamzero
  • Detects identity and access management issues and automatically suggests least-privilege policies
  • It does this by capturing errors in applications you build or commands that you run which use
aws-lint-iam-policies
  • Runs IAM policy linting and security checks against either a single AWS account or a set of member accounts of an AWS Organization
  • Dumps all supported identity-based and resource-based policies to a local directory and reports on those that may violate security best practices or contain errors

Find Creep/Drift/Overprivilege

Tool Description
Cloudsplaining
  • Scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification
terraform-iam-policy-validator
  • A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices
aws-sso-reporter
  • This tools uses the AWS SSO API to list all users, accounts, permission sets etc. and dumps it into a CSV file for additional parsing or viewing
IAM APE
apeman AWS Attack Path Management Tool

Integrations

Tool Description
IAM-Orgs
  • Share AWS resources with groups of AWS accounts in AWS Organizations
  • Reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in IAM
  • New condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU
awslabs/ssosync Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
gcp-oidc-aws A Terraform module that creates a GCP Workload Identity Federation to allow AWS workloads to authenticate to GCP via a GCP Service Account, without storing service account keys