Xenos, is Greek for stranger.
AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an AWS account and give you a breakdown of all the accounts that have trust relationships to your account.
This tool reports against the Trusted Relationship Technique of the ATT&CK Framework.
- For the "known" accounts list AWSXenos uses a modified version of known AWS Account IDs.
- For the Org accounts list AWSXenos query AWS Organizations.
- AWS Services are classified separately.
- Everything else falls under unknown account
Access Analyzer falls short because:
-
You need to enable it in every region.
-
Identified external entities might be known entities. E.g. a trusted third party vendor or a vendor you no longer trust. An Account number is seldom useful.
-
Zone of trust is a fixed set of the AWS organisation. You won’t know if a trust between sandbox->prod has been established.
-
Does not identify AWS Service principals. This is mainly important because of Wiz's AWSConfig, et al vulnverabilities
pip install AWSXenos
awsxenos --reporttype HTML -w report.html
awsxenos --reporttype JSON -w report.json
You will get an HTML and JSON report.
See example report
from awsxenos.scan import Scan
from awsxenos.report import Report
s = Scan()
r = Report(s.findings, s.known_accounts_data)
json_summary = r.JSON_report()
html_summary = r.HTML_report()
Permissions required.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListRoles"
"organizations:ListAccounts",
"s3:ListAllMyBuckets",
"s3:GetBucketPolicy",
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
python3 -m env venv
source /env/bin/activate
pip install -r requirements.txt
Create a PR or raise an issue. Contributions are welcome.
- IAM Roles
- S3 Bucket Policies and ACLs
- Use as library
- HTML and JSON output
- Supports AWS Services
- Add support for more resource policies services, e.g. SecretsManager, KSM, SNS, SQS, Lambda
- Add support for Cognito, RAM
- Add support for VPCE