bridgecrewio / airiam Goto Github PK
View Code? Open in Web Editor NEWLeast privilege AWS IAM Terraformer
Home Page: https://airiam.io
License: Apache License 2.0
Least privilege AWS IAM Terraformer
Home Page: https://airiam.io
License: Apache License 2.0
Related to #46, the output of airiam terraform
produces an aws_iam_role
which will remove the permissions_boundary
Repro steps:
1 have an IAM role with a boundary policy.
2 Run airiam terraform
3. cd results; terraform plan -target
ex :
$ terraform plan -target aws_iam_role.TerraformerRole
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.aws_iam_policy_document.TerraformerRole_assume_role_policy_document: Refreshing state...
aws_iam_role.TerraformerRole: Refreshing state... [id=TerraformerRole]
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_role.TerraformerRole will be updated in-place
~ resource "aws_iam_role" "TerraformerRole" {
arn = "arn:aws:iam::*snip*:role/pathy/TerraformerRole"
assume_role_policy = *snip*
create_date = "2077-12-09T08:00:00Z"
force_detach_policies = false
id = "TerraformerRole"
max_session_duration = 2077
name = "TerraformerRole"
path = "/pathy/"
- permissions_boundary = "arn:aws:iam::*snip*:policy/pathy/TerraformerRoleBoundary" -> null
~ tags = {
+ "Managed by" = "AirIAM by Bridgecrew"
+ "Managed through" = "Terraform"
"department" = "existing"
"prod" = "lolno"
"ManagedBy" = "terraform"
"moretags" = "snipped away"
}
unique_id = "snip"
}
Plan: 0 to add, 1 to change, 0 to destroy.
Warning: Resource targeting is in effect
You are creating a plan with the -target option, which means that the result
of this plan may not represent all of the changes requested by the current
configuration.
The -target option is not for routine use, and is provided only for
exceptional situations such as recovering from errors or mistakes, or when
Terraform specifically suggests to use it as part of an error message.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
Terraform 0.14 releases a backend that is intended to flex into 1.0 and breaking backend changes are supposed to be reduced. AirIAM can generate this backend programmatically instead of relying on terraform import
- enhancing the usability of the local cache and reducing the reliance on credentials which may time out during the import process.
Can we have a function or argument to scan more than one AWS account at a time or individual, as of now it only scan the one in AWS config, but it will be awesome if we can scan choosing the AWS config profiles?
$ airiam find_unused
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.44
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in environment variables.
Getting all IAM configurations for account xxxxxxxxxxxxx
Getting IAM credential report
Generated reports for all principals
Received usage results for all principals
Collecting password configurations for all IAM users in the account
Completed data collection, writing to local file...
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused
unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials
credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration
As a user,
I want to be able to force airiam to use the "cache" file locally
So that I can generate HCL, perform evaluations, and write tests for the tool without having to have any active credentials.
Implement the option to terraform into the new groups
Does anyone know what is wrong in this output? After I execute airiam recommend_groups I get this:
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account XXXXXXXXXXXXX (masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/lib/python3.7/dist-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/local/lib/python3.7/dist-packages/airiam/find_unused/PolicyAnalyzer.py", line 56, in policy_is_write_access
action_map[action_service]['privileges']))
KeyError: 'ecr-public'
First I was very excited about AirIAM, but then it just stopped working, without any changes from my side.
I wonder if there is any Verbose or Debug mode to give more diagnostics output?
Otherwise it's just not clear why it fails like this:
ยป aws-vault exec .... -- airiam find_unused
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| |
/ /____\ \ | | | / | | / /____\ \ | | \ \/ / | |
/ ______ \_| |_| | _| |_ / ______ \ | \ / | |
/_/ \_\_____|__| |_____|/_/ \_\_| \/ |_|
v0.1.48
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in environment variables.
Getting all IAM configurations for account 655028521085
Getting IAM credential report
Generated reports for all principals
Received usage results for all principals
Collecting password configurations for all IAM users in the account
Completed data collection, writing to local file...
Traceback (most recent call last):
File "/Users/ivan/.asdf/installs/python/3.8.5/bin/airiam", line 5, in <module>
run()
File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused
unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials
credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration
brew tap bridgecrewio/airiam https://github.com/bridgecrewio/airiam
brew update
brew install airiam
airiam is installed
==> Downloading
curl: (3) URL using bad/illegal format or missing URL
Error: airiam: Failed to download resource "airiam--boto3"
Download failed:
Broken URL and SHA:
AirIAM/HomebrewFormula/airiam.rb
Lines 11 to 14 in 79706da
MacOS
No response
python3
2.2.75
N/A
Hello,
I have installed airIAM on an AmzLinux2 EC2 instance. Installation went through with no issues. I was able to execute the 2 cmds, airiam -h & airiam find_unused just fine and returned the expected results. When I tried to run the 'airiam terraform' cmd, I received the following error message:
After reaching out for assistance via slack chat, I was advised to install terraform, and so I did. I have installed terraform where its cmd is globally accessible; without having to cd into the dir where it's installed. I have verified this by running terraform -v and this returned the terraform version with no issue. Strangely enough, when I ran the airiam terraform cmd initially, that created the results dir and all of the .tf files but not the .tfstate
So I ran airiam terraform again, and I'm still receiving the same error (like the screen capture above). Please provide some guidance.
Python version: 3.7
Terraform v0.12.26
AirIAM version 0.1.31
Amazon Linux 2
Thank you,
Eri W.
Hi
I am facing an error while trying to run any command in AirIAM.
Getting IAM credential report Generated reports for all principals Received usage results for all principals Collecting password configurations for all IAM users in the account Completed data collection, writing to local file... Traceback (most recent call last): File "/opt/homebrew/bin/airiam", line 5, in <module> run() File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/main.py", line 29, in run runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command) File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold) File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials credentials = next(creds for creds in credential_report if creds['user'] == user['UserName']) StopIteration
Wondering if you guys were interested in ability to auto-remediate, that is auto-delete unused policies or roles?
Possibly with manual approval, or '-auto-approve' for all. I'm currently writing a bash script to do it, but could build in to AirIAM itself?
airiam terraform
or airiam recommend_groups
command completes successfully
Error with the following logs
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in <module>
run()
File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
actions = PolicyAnalyzer._get_policy_actions(policy_document)
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))
MacOS
No response
python 3.9.9
didnt use checkov
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in <module>
run()
File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
actions = PolicyAnalyzer._get_policy_actions(policy_document)
File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))
Hi Team,
wondering if AirIam find_unused resources support Roles or account ids for accessing different accounts.
my company policy doesn't allow credentials in .aws/credentials file if I want to set up a single instance for all my environments
Thanks for your time
I installed using below command and I am getting error as per snapshot
pip3 install airiam --user
Please share tips if you are able to make it work
I then tried pip install requests==2.18.4
and it gave
ERROR: airiam 0.1.29 has requirement requests==2.23.0, but you'll have requests 2.18.4 which is incompatible
Python 3.7.7, pip 20.0.2 from /usr/local/lib/python3.7/site-packages/pip (python 3.7)
Prepare bug report issue form in .github/ISSUE_TEMPLATE/bug.yaml
Prepare documentation issue form in .github/ISSUE_TEMPLATE/documentation.yaml
Prepare feature request issue form in .github/ISSUE_TEMPLATE/feature.yaml
running airiam recommend_groups, in MAC gives this error
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials Reusing local data INFO:root:Analyzing data for account 051349106950 INFO:root:Using the default UserOrganizer Traceback (most recent call last): File "/usr/local/bin/airiam", line 5, in <module> run() File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/main.py", line 36, in run report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report)) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies']) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters if PolicyAnalyzer.policy_is_write_access(policy_document): File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 56, in policy_is_write_access action_map[action_service]['privileges'])) KeyError: 'airflow'
Hi,
Get the following when trying to execute 'get_unused';
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
Traceback (most recent call last):
File "/home/user/.local/bin/airiam", line 5, in <module>
run()
File "/home/user/.local/lib/python3.8/site-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/home/user/.local/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 49, in find_unused
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
File "/home/user/.local/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 69, in find_unused_users
credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration
It pulls and populates the iam_data.json file then throws the error. Currently running v0.1.37.
Currently, when I run airiam find_unused
I get a print out to stdout of the information that I'd like and airiam writes a file iam_data.json
to the working directory. I'd for airiam to also write a results
file in some format which contains the information that is written to stdout. (or... an option for it?)
I have a few Policies that exist for exclusive use as iam Boundary policies... they're being flagged as unused, regardless of how long they've been attached as boundaries or how frequently the attached role/user is being used.
Howdy Bridgecrew,
When viewing the website https://airiam.io/documentation.html there are several formatting bugs. It seems to primarily be around how github flavored markdown code blocks are handled.
Interestingly, these render fine when previewed through github: https://github.com/bridgecrewio/AirIAM/blob/master/docs/documentation.md
so I'd hazard a guess to say this is an issue with your hosting/static site generator set up.
I'll send a PR, but it may not fix the issue, if it is hosting/static site generator related.
Browser: Chrome Version 81.0.4044.129 on OSX
version: 0.1.52
Traceback (most recent call last):
File "/app/./airapi/main.py", line 270, in <module>
Process data error
marker()
File "/app/./airapi/main.py", line 260, in marker
Process data error
run_recommend_groups(runtime_report, raw_data, logger, args)
File "/app/./airapi/main.py", line 107, in run_recommend_groups
Process data error
report_with_recommendations = recommend_groups(
File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
Process data error
File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
Process data error
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 55, in policy_is_write_access
Process data error
action_objs = list(filter(lambda privilege_obj: re.match(action_regex, privilege_obj['privilege']),
TypeError: 'NoneType' object is not iterable
Ran $ airiam terraform -l 90
with some simulated data.
Expected 118 roles in the terraform output, got 152.
Missing 34 roles with > 90 days of inactivity.
I get different results between version 0.1.41 and 0.1.42 with the same cache and default day detection settings.
The following 132 roles are unused: (0.1.42)
The following 69 roles are unused: (0.1.41)
Altering the cache for each item that was access today (12-03) to yesterday (12-02) shows parity to 0.1.41.
The following 69 roles are unused:
See also this discussion in slack : https://codifiedsecurity.slack.com/archives/C01A47BRV50/p1607037078001600
Hi,
I'm trying to run AirIAM on an AWS account. Getting the following exception:
(forAirIAM) โโโ(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
โโ$ airiam find_unused -p airiam
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| |
/ /____\ \ | | | / | | / /____\ \ | | \ \/ / | |
/ ______ \_| |_| | _| |_ / ______ \ | \ / | |
/_/ \_\_____|__| |_____|/_/ \_\_| \/ |_|
v0.1.50
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Getting all IAM configurations for account 000000000000
Getting IAM credential report
12 of 15: Generating report for arn:aws:iam::000000000000:role/OrganizationAccountAccessRoleTraceback (most recent call last):
File "/home/umar_0x01/envs/forAirIAM/bin/airiam", line 5, in <module>
run()
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 44, in find_unused
iam_report = RuntimeIamScanner(logger, profile, refresh_cache).evaluate_runtime_iam(True, command)
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 38, in evaluate_runtime_iam
iam_data = self._get_data_from_aws(account_id, list_unused)
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 67, in _get_data_from_aws
last_accessed_map = self._generate_last_access(iam, entity_arn_list)
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 163, in _generate_last_access
raise error
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 155, in _generate_last_access
job_id = iam.generate_service_last_accessed_details(Arn=arn)['JobId']
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GenerateServiceLastAccessedDetails operation: User: arn:aws:iam::000000000000:user/airiam is not authorized to perform: iam:GenerateServiceLastAccessedDetails on resource: arn:aws:iam::000000000000:role/OrganizationAccountAccessRole with an explicit deny
(forAirIAM) โโโ(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
โโ$ cat /etc/*release 1 โจฏ
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Hello, it looks like there is an issue with the latest version:
airiam --help
Traceback (most recent call last):
File "/Users/ivo/Library/Python/3.8/bin/airiam", line 2, in
from airiam.main import run
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/main.py", line 6, in
from airiam.find_unused.find_unused import find_unused
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/find_unused.py", line 4, in
from airiam.find_unused.PolicyAnalyzer import PolicyAnalyzer
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 8, in
action_map = {a['prefix']: a for a in requests.get(ACTION_TABLE_URL).json()}
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 8, in
action_map = {a['prefix']: a for a in requests.get(ACTION_TABLE_URL).json()}
TypeError: string indices must be integers
First time user, when I hit find unused it is working perfectly.
However the other options recommend_groups and terraform are throwing errors
$ sudo airiam recommend_groups -p Account1
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.83
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account xxxxxxxxx(masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'
It should show recommendations
$ sudo airiam recommend_groups -p Account1
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.83
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account xxxxxxxxx(masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'
Linux
No response
python3 --version
Python 3.7.5
not using it
Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'
Use https://github.com/duo-labs/parliament to lint policies in the account
airiam find_unused
:~# airiam find_unused
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| |
/ /____\ \ | | | / | | / /____\ \ | | \ \/ / | |
/ ______ \_| |_| | _| |_ / ______ \ | \ / | |
/_/ \_\_____|__| |_____|/_/ \_\_| \/ |_|
v0.1.64
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in environment variables.
Reusing local data
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in <module>
run()
File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'
it should generate a report
:~# airiam find_unused
____ __ _____ ____ __ __
/ __ \ |__| _ ____|_ _| / __ \ | \ / |
/ / \ \ __ | |/ ___| | | / / \ \ | |\ \ / /| |
/ /____\ \ | | | / | | / /____\ \ | | \ \/ / | |
/ ______ \_| |_| | _| |_ / ______ \ | \ / | |
/_/ \_\_____|__| |_____|/_/ \_\_| \/ |_|
v0.1.64
AirIAM - Least privilege AWS IAM Terraformer
To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io
INFO:botocore.credentials:Found credentials in environment variables.
Reusing local data
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in <module>
run()
File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'
Linux
No response
root@xx:~# python --version
Python 2.7.17
root@xx:~# python3 --version
Python 3.6.9
root@ip-xx:~#```
### checkov-version
not installed
### Share output with the environment variable LOG_LEVEL set to DEBUG
Reusing local data
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'
### ๐ Have you spent some time to check if this issue has been raised before?
- [X] I checked and didn't find similar issue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.