check_user.py
Check if the given credentials are canary tokens and, if not, it will check the user permissions, printing the Inline, Attached and the group permissions.
The user in test could have not the minimal privileges, so in this case the script will tell you the problem.
It can take in input a profile (specified by the p parameter) or a set of credentials. The code: https://github.com/lilloX/aws-toolbox/blob/master/Recognition/check_user.py
usage: check_user.py [-h] [-v] [-c] [-l | -p PROFILE] [-u ACCESSKEYID]
[-s SECRETACCESSKEYID] [-t SECURITYTOKEN]
Check the AWS credentials to understand the permissions associated
optional arguments:
-h, --help show this help message and exit
-v increase output verbosity, show JSON documents
-c stealth mode, run only the canary token check
-l list available profiles
-p PROFILE check a user from the available profiles
Credentials mode:
-u ACCESSKEYID Access Key Id
-s SECRETACCESSKEYID Secret Access Key Id
-t SECURITYTOKEN Session token
Usage examples
List the available AWS profiles:
(venv) ➜ git:(master) ✗ python check_user.py -l
[*] Available profiles
default
lillox
canary
Check a canary token
(venv) ➜ Recognition git:(master) ✗ python check_user.py -p canary
[*] Using canary profile
[!] Canary token detected, quit
Check a low privileges user
(venv) ➜ Recognition git:(master) ✗ python check_user.py -p lillox
[*] Using lillox profile
[+] Not a know canary token
Account ID: 204[redacted]84
User Name :lillo User ID: AI[redacted]YA
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListGroupsForUser on resource: user lillo
[*] Inline User Policies and policy documents
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListUserPolicies on resource: user lillo
[*] Attached User Policies and policy documents
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListAttachedUserPolicies on resource: user lillo
[*] Group(s) Policies and policy documents
If the user has sufficient permissions we can also list the groups. Checking an admin user, the -v flag enable the policy print:
(venv) ➜ Recognition git:(master) ✗ python check_user.py -p lillox2 -v
[*] Using lillox2 profile
[+] Not a know canary token
Account ID: 20[redacted]84
User Name :lillo User ID: AI[redacted]XA
Group: admin
[*] Inline User Policies and policy documents
[+] Inline Policies: ['test-policy-inline-user']
[+] Policy document for test-policy-inline-user
{
"UserName": "lillo",
"PolicyName": "test-policy-inline-user",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
},
"ResponseMetadata": {
"RequestId": "12e125ae-09d5-49f5-b199-5e62ff91d638",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"x-amzn-requestid": "12e125ae-09d5-49f5-b199-5e62ff91d638",
"content-type": "text/xml",
"content-length": "845",
"date": "Thu, 07 Nov 2019 17:00:16 GMT"
},
"RetryAttempts": 0
}
}
[*] Attached User Policies and policy documents
[+] Attached Policies: [{'PolicyName': 'AmazonEC2ContainerRegistryReadOnly', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly'}]
[+] Policy document for AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": "*"
}
]
}
[*] Group(s) Policies and policy documents
[+] Inline Policies for the admin group: ['test-policy-inline-group']
[+] Policy document for test-policy-inline-group
{
"GroupName": "admin",
"PolicyName": "test-policy-inline-group",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1573145690000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
},
"ResponseMetadata": {
"RequestId": "e80f9e04-34fc-4c6a-acf7-189f006450aa",
"HTTPStatusCode": 200,
"HTTPHeaders": {
"x-amzn-requestid": "e80f9e04-34fc-4c6a-acf7-189f006450aa",
"content-type": "text/xml",
"content-length": "1049",
"date": "Thu, 07 Nov 2019 17:00:16 GMT"
},
"RetryAttempts": 0
}
}
[+] Attached Policies for the admin group: [{'PolicyName': 'ReadOnlyAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/ReadOnlyAccess'}]
[+] Policy document for ReadOnlyAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"a4b:Get*",
"a4b:List*",
"a4b:Describe*",
"a4b:Search*",
[... cut ...]
"xray:BatchGet*",
"xray:Get*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}