AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets
Xenos, is Greek for stranger.
AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an AWS account and give you a breakdown of all the accounts that have trust relationships to your account. It will also highlight whether the trusts have an external ID or not.
This tool reports against the Trusted Relationship Technique of the ATT&CK Framework.
Access Analyzer falls short because:
You need to enable it in every region.
Identified external entities might be known entities. E.g. a trusted third party vendor or a vendor you no longer trust. An Account number is seldom useful.
Zone of trust is a fixed set of the AWS organisation. You won’t know if a trust between sandbox->prod has been established.
Does not identify AWS Service principals. This is mainly important because of Wiz's AWSConfig, et al vulnverabilities
pip install AWSXenos
awsxenos --reporttype HTML -w report.html
awsxenos --reporttype JSON -w report.json
You will get an HTML and JSON report.
See example report
from awsxenos.scan import Scan
from awsxenos.report import Report
s = Scan()
r = Report(s.findings, s.known_accounts_data)
json_summary = r.JSON_report()
html_summary = r.HTML_report()
Permissions required.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ListRoles"
"organizations:ListAccounts",
"s3:ListAllMyBuckets",
"s3:GetBucketPolicy",
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
python3 -m env venv
source /env/bin/activate
pip install -r requirements.txt
Create a PR or raise an issue. Contributions are welcome.