This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and roles in the organization and map their trust relations.
The graph can be explored using Neo4j desktop or web client. Below you can find some sample queries that can help extract useful information from the graph.
Using this tool users can discover how role trusts are delegated in the organization and can help identify improve account isolation within the organization. For example, if there exists a role assumption path between two accounts the graph will be able to identify which roles and users are used to connect two accounts.
- Neo4j
- boto3
- AWS SSO Account
- py2neo
-
Install the Python3 requirements with
pip3 install -r requirements.txt
-
Install Neo4j and add the connection details to
config.py
. -
Configure the SSO organization URL in
config.py
. -
Run the tool with
python3 mapper.py
If there is no token
file stored in the directory the SSO auth flow will start. The instructions and device link will be printed to the console. After auth, the SSO token will be saved to ./token
. If you wish to run the tool on a new org make sure to delete the old ./token
file.
The tool will attempt to use the first valid role associated with the SSO account. If there is access denied the tool will move the next available role within the account.
Once completed the graph is generated in Neo4j. Using the sample queries below or designed your own by referencing the structure in ## Graph Structure
you can begin to extract information about the organization.
-
Install the Python3 requirements with
pip3 install -r requirements.txt
-
Install Neo4j and add the connection details to
config.py
. -
Run the tool with all the profiles you want to include as arguments
python3 mapper.py profile1 profile2 profile3 ...
Does not currently support SAML Providers or SAML conditions.
I am currently not planning on implementing an interface for this tool as it serves more as an import tool for neo4j. I will be continuing to implement a better interface for the CLI to give the user more control over the execution.
-
List all Accounts
MATCH (a:Account) RETURN A
-
List all Roles
MATCH (r:Role) RETURN R
-
List all users
MATCH (u:User) RETURN u
-
Count number of cross-account relations
MATCH p=(A:Account)-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account) RETURN COUNT(p)
-
Find all paths between account A and account B
MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account {accountId: "222222222"}) RETURN p
-
Find all routes from account A to any account
MATCH p=(A:Account {accountId: "111111111"})-[:OWNS]->(x)-[:ASSUMES]->(y)<-[:OWNS]-(B:Account) RETURN p
-
Find all roles that trust ":root" of an account.
MATCH p=(a:Account)-[:ASSUMES]->(:Role) RETURN p
-
Find all roles assumed by a specific service.
MATCH p=(:Service {Service: "lambda"})-[:ASSUMES]->(r:Role) WHERE r.accountID = "11111111111" RETURN p
-
Role
- Arn
- RoleId
- RoleName
- accountId
-
Account
- accountId
- accountName
- emailAddress
-
User
- Arn
- UserName
- accountId
-
Service
- Service (lambda.amazonaws.com)
- Account -[OWNS]->(Role/User)
- Account -[ASSUMES]-> (Role)
- Role -[ASSUMES]-> (Role)
- User -[ASSUMES]-> (Role)
- Service -[ASSUMES]-> (Role)
Thanks to Christophe Tafani-Dereeper for the sso device auth code. Their code can be found here.
https://github.com/christophetd/aws-sso-device-code-authentication