CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Intro post: https://duo.com/blog/introducing-cloudtracker-an-aws-cloudtrail-log-analyzer
This document will describe the setup that uses Athena and how to use the tool. CloudTracker no longer requires ElasticSearch, but if you'd like to use CloudTracker with ElasticSearch please see ElasticSearch installation and ingestion.
python3 -m venv ./venv && source venv/bin/activate
pip install cloudtracker
Note: To install with ElasticSearch support, see the ElasticSearch docs.
Download a copy of the IAM data of an account using the AWS CLI:
mkdir -p account-data
aws iam get-account-authorization-details > account-data/demo_iam.json
Create a config.yaml file with contents similar to:
athena:
s3_bucket: my_log_bucket
path: my_prefix
accounts:
- name: demo
id: 111111111111
iam: account-data/demo_iam.json
This assumes your CloudTrail logs are at s3://my_log_bucket/my_prefix/AWSLogs/111111111111/CloudTrail/
Set my_prefix to '' if you have no prefix.
If your CloudTrail is managed through an organisation you can configure this in the athena section:
athena:
s3_bucket: my_log_bucket
path: my_prefix
org_id: o-myid123
CloudTracker uses boto and assumes it has access to AWS credentials in environment variables, which can be done by using aws-vault.
You will need the privilege arn:aws:iam::aws:policy/AmazonAthenaFullAccess and also s3:GetObject and s3:ListBucket for the S3 bucket containing the CloudTrail logs.
Once you're running in an aws-vault environment (or otherwise have your environment variables setup for an AWS session), you can run:
cloudtracker --account demo --list users
This will perform all of the initial setup which takes about a minute. Subsequent calls will be faster.
CloudTracker does not currently clean up after itself, so query results are left behind in the default bucket aws-athena-query-results-ACCOUNT_ID-REGION.
If you wanted to get rid of all signs of CloudTracker, remove the query results from that bucket and in Athena run DROP DATABASE cloudtracker CASCADE
CloudTracker provides command line options to list the users and roles in an account. For example:
$ cloudtracker --account demo --list users --start 2018-01-01
alice
- bob
charlie
In this example, a list of users was obtained from the the IAM information and then from CloudTrail logs it was found that the user "bob" has no record of being used since January 1, 2018, and therefore CloudTracker is advising the user's removal by prefixing the user with a "-".
Note that not all AWS activities are stored in CloudTrail logs. Specifically, data level events such as reading and writing S3 objects, putting CloudWatch metrics, and more. Therefore, it is possible that "bob" has been active but only with actions that are not recorded in CloudTrail. Note also that you may have users or roles that are inactive that you may still wish to keep around. For example, you may have a role that is only used once a year during an annual task. You should therefore use this output as guidance, but not always as instructions.
You can also list roles.
$ cloudtracker --account demo --list roles --start 2018-01-01
admin
The main purpose of CloudTracker is to look at the API calls made by actors (users and roles). Let's assume alice has SecurityAditor privileges for her user which grants her the ability to List and Describe metadata for resources, plus the ability to AsssumeRole to the admin role. We can see her actions:
cloudtracker --account demo --user alice
...
cloudwatch:describealarmhistory
cloudwatch:describealarms
- cloudwatch:describealarmsformetric
- cloudwatch:getdashboard
? cloudwatch:getmetricdata
...
+ s3:createbucket
...
A lot of actions will be shown, many that are unused, as there are over a thousand AWS APIs, and most people tend to only use a few. In the snippet above, we can see that she has called DescribeAlarmHistory and DescribeAlarms. She has never called DescribeAlarmsForMetric or GetDashboard even though she has those privileges, and it is unknown if she has called GetMetricData as that call is not recorded in CloudTrail. Then further down I notice there is a call to CreateBucket that she made, but does not have privileges for. This can happen if the actor previously had privileges for an action and used them, but those privileges were taken away. Errors are filtered out, so if the actor made a call but was denied, it would not show up as used.
As there may be a lot of unused or unknown actions, we can filter things down:
cloudtracker --account demo --user alice --show-used
Getting info on alice, user created 2017-09-02T18:02:14Z
cloudwatch:describealarmhistory
cloudwatch:describealarms
+ s3:createbucket
sts:assumerole
We can do the same thing for roles. For example:
cloudtracker --account demo --role admin --show-used
Getting info for role admin
s3:createbucket
iam:createuser
CloudTracker shows a diff of the privileges granted vs used. The symbols mean the following:
-A minus sign means the privilege was granted, but not used, so you should remove it.?A question mark means the privilige was granted, but it is unknown if it was used because it is not recorded in CloudTrail.+A plus sign means the privilege was not granted, but was used. The only way this is possible is if the privilege was previously granted, used, and then removed, so you may want to add that privilege back.
This functionality is not yet supported with the Athena configuration of CloudTracker.
You may know that alice can assume to the admin role, so let's look at what she did there using the --destrole argument:
cloudtracker --account demo --user alice --destrole admin --show-used
Getting info on alice, user created 2017-09-02T18:02:14Z
Getting info for AssumeRole into admin
s3:createbucket
iam:createuser
You may also know that charlie can assume to the admin role, so let's look at what he did there:
cloudtracker --account demo --user charlie --destrole admin --show-used
Getting info on charlie, user created 2017-10-01T01:01:01Z
Getting info for AssumeRole into admin
s3:createbucket
In this example we can see that charlie has only ever created an S3 bucket as admin, so we may want to remove charlie from being able to assume this role or create another role that does not have the ability to create IAM users which we saw alice use. This is the key feature of CloudTracker as identifying which users are actually making use of the roles they can assume into, and the actions they are using there, is difficult without a tool like CloudTracker.
Amazon has advocated the use of multiple AWS accounts in much of their recent guidance. This helps reduce the blast radius of incidents, among other benefits. Once you start using multiple accounts though, you will find you may need to rethink how you are accessing all these accounts. One way of working with multiple accounts will have users assuming roles into different accounts. We can analyze the role assumptions of users into a different account the same way we did previously for a single account, except this time you need to ensure that you have CloudTrail logs from both accounts of interest are loaded into ElasticSearch.
cloudtracker --account demo --user charlie --destaccount backup --destrole admin --show-used
Getting info on charlie, user created 2017-10-01T01:01:01Z
Getting info for AssumeRole into admin
s3:createbucket
In this example, we used the --destaccount option to specify the destination account.
CloudTracker has two long text files that it uses to know what actions exist.
This file contains all possible AWS API calls that can be made. One use of this is for identifying privileges granted by an IAM policy when a regex has been used, such as expanding s3:*.
This file was created by running:
git clone --depth 1 -b master https://github.com/boto/botocore.git
find botocore/botocore/data -name *.json | xargs cat | jq -r 'select(.operations != null) as $parent | .operations | keys | .[] | $parent.metadata.endpointPrefix +":"+.' | sort | uniq > aws_actions.txt
This file contains the AWS API calls that are recorded in CloudTrail logs. This is used to identify when the status of a privilege is "unknown" (ie. not known whether it has been used or not).
This file was creating by copying aws_actions.txt and removing events manually based on the CloudTrail user guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/awscloudtrail-ug.pdf) in the section "CloudTrail Supported Services" and following the links to the various services and reading through what is and isn't supported.