(A)n(a)lysis of (I)dentity and (A)ccess

Note: Expansion created post the name was decided :P

Aaia helps in visualizing the AWS IAM in a graphical fashion with help of Neo4j. This helps in identifying the outliers easily.Since it is based on neo4j , one can query the graph using cypher queries to find the anomalies.

Aaia also supports modules to programatically fetch data from neo4j database and process it in a custom fashion. This is mostly useful if any complex comparision or logic has to be applied to a given data which would otherwise be not easy through cypher queries.

Aaia was initially intended to be a tool to enumerate privelege esclation possibilities and find loop holes in AWS IAM. It was inspired from the quote by @JohnLaTwC

"Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

Aaia in Tamil means grandmother. Aaia knows everything about the family. She can easily connect who is related to whom; and how ;and give you the connection within a split second. She is a living graph database. :P Since "Aaia" (this tool) also does more or less the same, hence the name.

Instructions here

Setup the username , password and bolt connection uri in Aaia.conf file. An example is already present in Aaia.conf.

git clone https://github.com/rams3sh/Aaia

cd Aaia/

python3 -m venv env

source env/bin/activate

Note: Aaia depends on pyjq library which is not stable in windows currently. Hence Aaia is not supported for Windows OS.

python -m pip install -r requirements.txt

First, Ensure you have aws credentials configured. Refer this for help.

Once the crendential is setup.

Run:-

./Aaia_aws_collector.sh <profile_name>

Note : This script has been intentionally written in shell as there might be cases during audit engagements where data has to be collected from a remote place. This script can be used to collect the data and the generated "offline_data" folder can be copied and worked upon in another instance with Aaia installed.

Just replace the offline_data folder in the Aaia folder and start working.

python Aaia.py -n <profile_name> -a load_Data

-n supports "all" as value which means load all data collected and present within offline_data folder.

Now we are ready to use Aaia.

As of now , a sample custom module is given as a skeleton example. One can use this build to various other custom modules.

python Aaia.py -n all -m iam_sample_audit

Aaia is influenced and inspired from various amazing open source tools. Huge Shoutout to :-

• Cloudmapper
• Cartography
• BloodHound

A sample visual of a dummy AWS Account's IAM

A sample visual of a result of a cypher query to find all relations of a user in AWS IAM

• Write a detailed documentation for understanding Aaia's Neo4j DB Schema
• Write a detailed documentation for developing custom modules for Aaia
• Write custom modules to evaluate 28 AWS privelege escalation methods identified by RhinoSecurity.
• Provide a cheatsheet of queries for identifying simple issues in AWS IAM
• Extend Aaia to other cloud providers.