IAM

Find Creep/Drift/Overprivilege¶

Tool	Description
Repokid	Remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account
Cloudsplaining	Scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification
AirIAM	Compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method
CloudTracker	Helps find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies
AWS Key Disabler	A small lambda script that will disable access keys older than a given amount of days
SkyArk	Discover most privileged entities in the target AWS/Azure environments, including Shadow Admins
SkyWrapper	Analyzes behaviors of temporary tokens Aims to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens

Tool	Description
Parliament	AWS IAM Policy Linter Analyzing IAM Policies at Scale with Parliament
Policy Sentry	IAM Least Privilege Policy Generator Salesforce Cloud Security: Automating Least Privilege in AWS IAM with Policy Sentry
Action Hero	Sidecar style utility to assist with creating least privilege IAM Policies for AWS Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions
Effective Actions for IAM	After you have input your policy JSON, you will see a list of allowed actions by resource; permissions in AWS require an explict allow to be permitted

Tool	Description
AWSume	A utility for easily assuming AWS IAM roles from the command line
key-conjurer	Uses AWS STS to create temporary AWS API credentials for accessing our AWS infrastructure programmatically
gimme-aws-creds	CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS
Metadataproxy	A proxy for AWS's metadata service that gives out scoped IAM credentials from STS

Tool	Description
IAM-EKS	Fine-Grained IAM Roles for Service Accounts for EKS AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level
IAM-Orgs	Share AWS resources with groups of AWS accounts in AWS Organizations Reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in IAM New condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU
aws-iam-authenticator	Use AWS IAM credentials to authenticate to a Kubernetes cluster
guard	Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.