Skip to content

Create a Neo4J graph of users and roles trust policies within an AWS Organization.

Notifications You must be signed in to change notification settings

DaveYesland/aws_org_explorer

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS_ORG_MAPPER

This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and roles in the organization and map their trust relations.

The graph can be explored using Neo4j desktop or web client. Below you can find some sample queries that can help extract useful information from the graph.

Using this tool users can discover how role trusts are delegated in the organization and can help identify improve account isolation within the organization. For example, if there exists a role assumption path between two accounts the graph will be able to identify which roles and users are used to connect two accounts.

Requirements

  • Neo4j
  • boto3
  • AWS SSO Account
  • py2neo

How to Use with SSO

  1. Install the Python3 requirements with pip3 install -r requirements.txt

  2. Install Neo4j and add the connection details to config.py.

  3. Configure the SSO organization URL in config.py.

  4. Run the tool with python3 mapper.py

If there is no token file stored in the directory the SSO auth flow will start. The instructions and device link will be printed to the console. After auth, the SSO token will be saved to ./token. If you wish to run the tool on a new org make sure to delete the old ./token file.

The tool will attempt to use the first valid role associated with the SSO account. If there is access denied the tool will move the next available role within the account.

Once completed the graph is generated in Neo4j. Using the sample queries below or designed your own by referencing the structure in ## Graph Structure you can begin to extract information about the organization.

How to Use with AWS profiles

  1. Install the Python3 requirements with pip3 install -r requirements.txt

  2. Install Neo4j and add the connection details to config.py.

  3. Run the tool with all the profiles you want to include as arguments python3 mapper.py profile1 profile2 profile3 ...

Notes

Does not currently support SAML Providers or SAML conditions.

I am currently not planning on implementing an interface for this tool as it serves more as an import tool for neo4j. I will be continuing to implement a better interface for the CLI to give the user more control over the execution.

Example Queries

  • List all Accounts

    MATCH (a:Account) RETURN A

  • List all Roles

    MATCH (r:Role) RETURN R

  • List all users

    MATCH (u:User) RETURN u

  • Count number of cross-account relations

    MATCH p=(A:Account)-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account) RETURN COUNT(p)

  • Find all paths between account A and account B

    MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account {accountId: "222222222"}) RETURN p

  • Find all routes from account A to any account

    MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account) RETURN p

  • Find all roles that trust ":root" of an account.

    MATCH p=(a:Account)-[:ASSUMES]->(:Role) RETURN p

  • Find all roles assumed by a specific service.

    MATCH p=(:Service {Service: "lambda"})-[:ASSUMES]->(r:Role) WHERE r.accountID = "11111111111" RETURN p

Graph Structure

Nodes and Attributes

  • Role

    • Arn
    • RoleId
    • RoleName
    • accountId
  • Account

    • accountId
    • accountName
    • emailAddress
  • User

    • Arn
    • UserName
    • accountId
  • Service

    • Service (lambda.amazonaws.com)

Node Relations

  • Account -[OWNS]->(Role/User)
  • Account -[ASSUMES]-> (Role)
  • Role -[ASSUMES]-> (Role)
  • User -[ASSUMES]-> (Role)
  • Service -[ASSUMES]-> (Role)

Acknowledgment

Thanks to Christophe Tafani-Dereeper for the sso device auth code. Their code can be found here.

https://github.com/christophetd/aws-sso-device-code-authentication

About

Create a Neo4J graph of users and roles trust policies within an AWS Organization.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%