Script for analyzing the compliance of your AWS account based on the adversary techniques on the MITRE ATT&CK Iaas Matrix.
- It is necessary to have Python3 installed with the packages boto3 and termcolor
- The packages can be installed with the following command:
pip3 install boto3 termcolor
- The script needs the following permissions to run all the checks:
cloudtrail:describetrails
config:describeconfigurationrecorderstatus
guardduty:listdetectors
inspector:listassessmenttemplates
inspector:listassessmentruns
inspector:describeassessmentruns
ec2:describeflowlogs
ec2:describevolumes
ec2:describevpcs
ec2:describesecuritygroups
s3:getaccountpublicaccessblock
s3:ListAllMyBuckets
s3:GetBucketPublicAccessBlock
s3:GetEncryptionConfiguration
s3:GetBucketVersioning
iam:GetAccountSummary
iam:ListUsers
iam:ListAccessKeys
iam:ListMFADevices
iam:GetServiceLastAccessedDetails
iam:ListVirtualMFADevices
iam:GenerateServiceLastAccessedDetails
iam:GetAccountPasswordPolicy
- To facilitate the creation of these permissions, this repository has a CloudFormation template to automatically deploy an user with the necessary permissions.
- Once the stack is created with the template, it gives you the access and secret keys of the new user in the Output Section.
- Finally, both the output credentials and the region to be analyzed must be configured locally through the following command:
aws configure
- The following parameters can be customized in some functions:
| Function | Input Parameter | Description |
|---|---|---|
| inactive_users | days_without_access | Days without access of a user to be considered as inactive. |
| access_keys_rotation | keys_older_than_days | Days old of the access keys so that they are rotated. |
| s3_public_access | account | AWS account where you want to verify the public access policies of S3. |
| strong_password_policy | password_length, password_expiration_days, last_passwords_reuse | Minimum length and maximum expiration days of user passwords, and the number of last passwords that cannot be reused, required in the password policy of the AWS account. |
| least_privilege_iam | JobId | Job ID that the user has previously generated with the AWS call generate_service_last_accessed_details(Arn=,Granularity='ACTION_LEVEL'), choosing the entity to analyze. |
| days_without_being_used | Days without using a service and / or actions by an entity for it to be considered as unused. | |
| inspector_enabled | days_since_last_assessment | Days since the last Inspector evaluation to be considered non-compliant. |
- Once the user is created and the credentials were configured, the script can be executed with:
python3 main.py
- The functions of the script can mitigate the following adversary techniques that are describe in the IaaS Matrix:
- 1.0
- Initial Release