bridgecrewio / airiam Goto Github PK

Related to #46, the output of airiam terraform produces an aws_iam_role which will remove the permissions_boundary

Repro steps:
1 have an IAM role with a boundary policy.
2 Run airiam terraform
3. cd results; terraform plan -target

ex :

$ terraform plan -target aws_iam_role.TerraformerRole
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_iam_policy_document.TerraformerRole_assume_role_policy_document: Refreshing state...
aws_iam_role.TerraformerRole: Refreshing state... [id=TerraformerRole]

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_role.TerraformerRole will be updated in-place
  ~ resource "aws_iam_role" "TerraformerRole" {
        arn                   = "arn:aws:iam::*snip*:role/pathy/TerraformerRole"
        assume_role_policy    = *snip*
        create_date           = "2077-12-09T08:00:00Z"
        force_detach_policies = false
        id                    = "TerraformerRole"
        max_session_duration  = 2077
        name                  = "TerraformerRole"
        path                  = "/pathy/"
      - permissions_boundary  = "arn:aws:iam::*snip*:policy/pathy/TerraformerRoleBoundary" -> null
      ~ tags                  = {
          + "Managed by"      = "AirIAM by Bridgecrew"
          + "Managed through" = "Terraform"
            "department"      = "existing"
            "prod"            = "lolno"
            "ManagedBy"  = "terraform"
            "moretags"        = "snipped away"
        }
        unique_id             = "snip"
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Resource targeting is in effect

You are creating a plan with the -target option, which means that the result
of this plan may not represent all of the changes requested by the current
configuration.
		
The -target option is not for routine use, and is provided only for
exceptional situations such as recovering from errors or mistakes, or when
Terraform specifically suggests to use it as part of an error message.


------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Terraform 0.14 releases a backend that is intended to flex into 1.0 and breaking backend changes are supposed to be reduced. AirIAM can generate this backend programmatically instead of relying on terraform import - enhancing the usability of the local cache and reducing the reliance on credentials which may time out during the import process.

Can we have a function or argument to scan more than one AWS account at a time or individual, as of now it only scan the one in AWS config, but it will be awesome if we can scan choosing the AWS config profiles?

$ airiam find_unused

 ____      __           _____      ____     __        __
/ __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |

/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.44

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in environment variables.
Getting all IAM configurations for account xxxxxxxxxxxxx
Getting IAM credential report
Generated reports for all principals
Received usage results for all principals
Collecting password configurations for all IAM users in the account
Completed data collection, writing to local file...
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused
unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
File "/usr/local/Cellar/airiam/0.1.44/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials
credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration

As a user,
I want to be able to force airiam to use the "cache" file locally
So that I can generate HCL, perform evaluations, and write tests for the tool without having to have any active credentials.

Implement the option to terraform into the new groups

Does anyone know what is wrong in this output? After I execute airiam recommend_groups I get this:

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account XXXXXXXXXXXXX (masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/lib/python3.7/dist-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/usr/local/lib/python3.7/dist-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/usr/local/lib/python3.7/dist-packages/airiam/find_unused/PolicyAnalyzer.py", line 56, in policy_is_write_access
action_map[action_service]['privileges']))
KeyError: 'ecr-public'

First I was very excited about AirIAM, but then it just stopped working, without any changes from my side.
I wonder if there is any Verbose or Debug mode to give more diagnostics output?
Otherwise it's just not clear why it fails like this:

»  aws-vault exec .... -- airiam find_unused

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.48 

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in environment variables.
Getting all IAM configurations for account 655028521085
Getting IAM credential report
Generated reports for all principals
Received usage results for all principals
Collecting password configurations for all IAM users in the account
Completed data collection, writing to local file...
Traceback (most recent call last):
  File "/Users/ivan/.asdf/installs/python/3.8.5/bin/airiam", line 5, in <module>
    run()
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused
    unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold)
  File "/Users/ivan/.asdf/installs/python/3.8.5/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials
    credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration

👟 Reproduction steps

brew tap bridgecrewio/airiam https://github.com/bridgecrewio/airiam
brew update
brew install airiam

👍 Expected behavior

airiam is installed

👎 Actual Behavior

==> Downloading
curl: (3) URL using bad/illegal format or missing URL
Error: airiam: Failed to download resource "airiam--boto3"
Download failed:

Broken URL and SHA:

💻 Operating system

MacOS

🧱 Your Environment

No response

Python Version

python3

checkov-version

2.2.75

Share output with the environment variable LOG_LEVEL set to DEBUG

N/A

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

Hello,

I have installed airIAM on an AmzLinux2 EC2 instance. Installation went through with no issues. I was able to execute the 2 cmds, airiam -h & airiam find_unused just fine and returned the expected results. When I tried to run the 'airiam terraform' cmd, I received the following error message:

After reaching out for assistance via slack chat, I was advised to install terraform, and so I did. I have installed terraform where its cmd is globally accessible; without having to cd into the dir where it's installed. I have verified this by running terraform -v and this returned the terraform version with no issue. Strangely enough, when I ran the airiam terraform cmd initially, that created the results dir and all of the .tf files but not the .tfstate

So I ran airiam terraform again, and I'm still receiving the same error (like the screen capture above). Please provide some guidance.

Python version: 3.7
Terraform v0.12.26
AirIAM version 0.1.31
Amazon Linux 2

Thank you,
Eri W.

Hi

I am facing an error while trying to run any command in AirIAM.

Getting IAM credential report Generated reports for all principals Received usage results for all principals Collecting password configurations for all IAM users in the account Completed data collection, writing to local file... Traceback (most recent call last): File "/opt/homebrew/bin/airiam", line 5, in <module> run() File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/main.py", line 29, in run runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command) File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 51, in find_unused unused_active_access_keys, unused_console_login_profiles = find_unused_active_credentials(account_users, credential_report, unused_threshold) File "/opt/homebrew/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/find_unused.py", line 98, in find_unused_active_credentials credentials = next(creds for creds in credential_report if creds['user'] == user['UserName']) StopIteration

Wondering if you guys were interested in ability to auto-remediate, that is auto-delete unused policies or roles?
Possibly with manual approval, or '-auto-approve' for all. I'm currently writing a bash script to do it, but could build in to AirIAM itself?

👟 Reproduction steps

airiam terraform or airiam recommend_groups

👍 Expected behavior

command completes successfully

👎 Actual Behavior

Error with the following logs

Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
    report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
    actions = PolicyAnalyzer._get_policy_actions(policy_document)
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
    actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))

💻 Operating system

MacOS

🧱 Your Environment

No response

Python Version

python 3.9.9

checkov-version

didnt use checkov

Share output with the environment variable LOG_LEVEL set to DEBUG

Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.9/site-packages/airiam/main.py", line 36, in run
    report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/local/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 49, in policy_is_write_access
    actions = PolicyAnalyzer._get_policy_actions(policy_document)
  File "/usr/local/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 25, in _get_policy_actions
    actions_list.extend(PolicyAnalyzer.convert_to_list(statement['Action']))

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

Hi Team,
wondering if AirIam find_unused resources support Roles or account ids for accessing different accounts.
my company policy doesn't allow credentials in .aws/credentials file if I want to set up a single instance for all my environments

Thanks for your time

I installed using below command and I am getting error as per snapshot

pip3 install airiam --user

Please share tips if you are able to make it work
I then tried pip install requests==2.18.4 and it gave

ERROR: airiam 0.1.29 has requirement requests==2.23.0, but you'll have requests 2.18.4 which is incompatible
Python 3.7.7, pip 20.0.2 from /usr/local/lib/python3.7/site-packages/pip (python 3.7)

Prepare bug report issue form in .github/ISSUE_TEMPLATE/bug.yaml
Prepare documentation issue form in .github/ISSUE_TEMPLATE/documentation.yaml
Prepare feature request issue form in .github/ISSUE_TEMPLATE/feature.yaml

running airiam recommend_groups, in MAC gives this error

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials Reusing local data INFO:root:Analyzing data for account 051349106950 INFO:root:Using the default UserOrganizer Traceback (most recent call last): File "/usr/local/bin/airiam", line 5, in <module> run() File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/main.py", line 36, in run report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report)) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies']) File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters if PolicyAnalyzer.policy_is_write_access(policy_document): File "/usr/local/Cellar/airiam/0.1.49/libexec/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 56, in policy_is_write_access action_map[action_service]['privileges'])) KeyError: 'airflow'

Hi,

Get the following when trying to execute 'get_unused';

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
Traceback (most recent call last):
  File "/home/user/.local/bin/airiam", line 5, in <module>
    run()
  File "/home/user/.local/lib/python3.8/site-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/home/user/.local/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 49, in find_unused
    unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
  File "/home/user/.local/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 69, in find_unused_users
    credentials = next(creds for creds in credential_report if creds['user'] == user['UserName'])
StopIteration

It pulls and populates the iam_data.json file then throws the error. Currently running v0.1.37.

Currently, when I run airiam find_unused I get a print out to stdout of the information that I'd like and airiam writes a file iam_data.json to the working directory. I'd for airiam to also write a results file in some format which contains the information that is written to stdout. (or... an option for it?)

I have a few Policies that exist for exclusive use as iam Boundary policies... they're being flagged as unused, regardless of how long they've been attached as boundaries or how frequently the attached role/user is being used.

Howdy Bridgecrew,

When viewing the website https://airiam.io/documentation.html there are several formatting bugs. It seems to primarily be around how github flavored markdown code blocks are handled.

from ```shell script

and

Interestingly, these render fine when previewed through github: https://github.com/bridgecrewio/AirIAM/blob/master/docs/documentation.md

so I'd hazard a guess to say this is an issue with your hosting/static site generator set up.

I'll send a PR, but it may not fix the issue, if it is hosting/static site generator related.

Browser: Chrome Version 81.0.4044.129 on OSX

version: 0.1.52

Traceback (most recent call last):
  File "/app/./airapi/main.py", line 270, in <module>

Process data error
    marker()
  File "/app/./airapi/main.py", line 260, in marker

Process data error
    run_recommend_groups(runtime_report, raw_data, logger, args)
  File "/app/./airapi/main.py", line 107, in run_recommend_groups

Process data error
    report_with_recommendations = recommend_groups(
  File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
    runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
Process data error

  File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
    simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
  File "/usr/lib/python3.9/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters

Process data error
    if PolicyAnalyzer.policy_is_write_access(policy_document):
  File "/usr/lib/python3.9/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 55, in policy_is_write_access

Process data error
    action_objs = list(filter(lambda privilege_obj: re.match(action_regex, privilege_obj['privilege']),
TypeError: 'NoneType' object is not iterable

Ran $ airiam terraform -l 90 with some simulated data.

Expected 118 roles in the terraform output, got 152.

• 200 roles

• 47 "none" roles in access advisor (These roles were entirely unused)
• 1 active role used in query (per documentation)
  = 152 roles in terraform

Missing 34 roles with > 90 days of inactivity.

I get different results between version 0.1.41 and 0.1.42 with the same cache and default day detection settings.

The following 132 roles are unused: (0.1.42)
The following 69 roles are unused: (0.1.41)

Altering the cache for each item that was access today (12-03) to yesterday (12-02) shows parity to 0.1.41.

The following 69 roles are unused:

See also this discussion in slack : https://codifiedsecurity.slack.com/archives/C01A47BRV50/p1607037078001600

Hi,

I'm trying to run AirIAM on an AWS account. Getting the following exception:

(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
└─$ airiam find_unused -p airiam

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.50

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Getting all IAM configurations for account 000000000000
Getting IAM credential report
12 of 15: Generating report for arn:aws:iam::000000000000:role/OrganizationAccountAccessRoleTraceback (most recent call last):
  File "/home/umar_0x01/envs/forAirIAM/bin/airiam", line 5, in <module>
    run()
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/find_unused.py", line 44, in find_unused
    iam_report = RuntimeIamScanner(logger, profile, refresh_cache).evaluate_runtime_iam(True, command)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 38, in evaluate_runtime_iam
    iam_data = self._get_data_from_aws(account_id, list_unused)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 67, in _get_data_from_aws
    last_accessed_map = self._generate_last_access(iam, entity_arn_list)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 163, in _generate_last_access
    raise error
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/airiam/find_unused/RuntimeIamScanner.py", line 155, in _generate_last_access
    job_id = iam.generate_service_last_accessed_details(Arn=arn)['JobId']
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 386, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/umar_0x01/envs/forAirIAM/lib/python3.8/site-packages/botocore/client.py", line 705, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GenerateServiceLastAccessedDetails operation: User: arn:aws:iam::000000000000:user/airiam is not authorized to perform: iam:GenerateServiceLastAccessedDetails on resource: arn:aws:iam::000000000000:role/OrganizationAccountAccessRole with an explicit deny

Environment: WSL2

(forAirIAM) ┌──(umar_0x01@DESKTOP-RGUF7KT)-[~/envs]
└─$ cat /etc/*release                                                                                                                                                                                        1 ⨯
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Policies Attached:

• ReadOnlyAccess (only)

Hello, it looks like there is an issue with the latest version:

airiam --help
Traceback (most recent call last):
File "/Users/ivo/Library/Python/3.8/bin/airiam", line 2, in
from airiam.main import run
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/main.py", line 6, in
from airiam.find_unused.find_unused import find_unused
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/find_unused.py", line 4, in
from airiam.find_unused.PolicyAnalyzer import PolicyAnalyzer
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 8, in
action_map = {a['prefix']: a for a in requests.get(ACTION_TABLE_URL).json()}
File "/Users/ivo/Library/Python/3.8/lib/python/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 8, in
action_map = {a['prefix']: a for a in requests.get(ACTION_TABLE_URL).json()}
TypeError: string indices must be integers

👟 Reproduction steps

First time user, when I hit find unused it is working perfectly.
However the other options recommend_groups and terraform are throwing errors

$ sudo airiam recommend_groups -p Account1

 ____      __           _____      ____     __        __
/ __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |

/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.83

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account xxxxxxxxx(masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'

👍 Expected behavior

It should show recommendations

👎 Actual Behavior

$ sudo airiam recommend_groups -p Account1

 ____      __           _____      ____     __        __
/ __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |

/ / \ \ __ | |/ | | | / / \ \ | |\ \ / /| |
/ /\ \ | | | / | | / /\ \ | | \ / / | |
/ ______ _| || | | | / ______ \ | \ / | |
// ___|| |___|// __| / ||
v0.1.83

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Reusing local data
INFO:root:Analyzing data for account xxxxxxxxx(masked)
INFO:root:Using the default UserOrganizer
Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'

💻 Operating system

Linux

🧱 Your Environment

No response

Python Version

python3 --version
Python 3.7.5

checkov-version

not using it

Share output with the environment variable LOG_LEVEL set to DEBUG

Traceback (most recent call last):
File "/usr/bin/airiam", line 5, in
run()
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/main.py", line 36, in run
report_with_recommendations = recommend_groups(logger, runtime_results, args.last_used_threshold)
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 19, in recommend_groups
runtime_iam_report.set_reorg(organizer.get_user_clusters(runtime_iam_report))
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 38, in get_user_clusters
simple_user_clusters = self._create_simple_user_clusters(human_users, iam_data['AccountGroups'], iam_data['AccountPolicies'])
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/recommend_groups/recommend_groups.py", line 84, in _create_simple_user_clusters
if PolicyAnalyzer.policy_is_write_access(policy_document):
File "/home/cspm/.local/lib/python3.7/site-packages/airiam/find_unused/PolicyAnalyzer.py", line 62, in policy_is_write_access
for priv, priv_obj in action_map.get(action_service, {}).get('privileges', []).items():
AttributeError: 'list' object has no attribute 'items'

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

Use https://github.com/duo-labs/parliament to lint policies in the account

👟 Reproduction steps

airiam find_unused

:~# airiam find_unused

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.64 

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in environment variables.
Reusing local data
Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
    unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
    days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
    date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'

👍 Expected behavior

it should generate a report

👎 Actual Behavior

:~# airiam find_unused

     ____      __           _____      ____     __        __
    / __ \    |__|  _  ____|_   _|    / __ \   |   \    /   |
   / /  \ \    __  | |/ ___| | |     / /  \ \  | |\ \  / /| |
  / /____\ \  |  | |   /     | |    / /____\ \ | | \ \/ / | |
 /  ______  \_|  |_|  |     _| |_  /  ______  \  |  \  /  | |
/_/        \_\_____|__|    |_____|/_/        \_\_|   \/   |_|
v0.1.64 

AirIAM - Least privilege AWS IAM Terraformer

To continuously scan configurations, try the Bridgecrew free community plan.
https://www.bridgecrew.io

INFO:botocore.credentials:Found credentials in environment variables.
Reusing local data
Traceback (most recent call last):
  File "/usr/local/bin/airiam", line 5, in <module>
    run()
  File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
    runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
    unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
    days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
  File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
    date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'

💻 Operating system

Linux

🧱 Your Environment

No response

Python Version

root@xx:~# python --version
Python 2.7.17
root@xx:~# python3 --version
Python 3.6.9
root@ip-xx:~#```

### checkov-version

not installed

### Share output with the environment variable LOG_LEVEL set to DEBUG

Reusing local data
Traceback (most recent call last):
File "/usr/local/bin/airiam", line 5, in
run()
File "/usr/local/lib/python3.6/dist-packages/airiam/main.py", line 29, in run
runtime_results = find_unused(logger, args.profile, args.no_cache, args.last_used_threshold, args.command)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 55, in find_unused
unused_users, used_users = find_unused_users(account_users, credential_report, unused_threshold)
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 83, in find_unused_users
days_from_today(credentials.get('access_key_1_last_used_date', 'N/A')),
File "/usr/local/lib/python3.6/dist-packages/airiam/find_unused/find_unused.py", line 249, in days_from_today
date = dt.datetime.fromisoformat(str_date_from_today)
AttributeError: type object 'datetime.datetime' has no attribute 'fromisoformat'

### 👀 Have you spent some time to check if this issue has been raised before?

- [X] I checked and didn't find similar issue