cloudtracker icon indicating copy to clipboard operation
cloudtracker copied to clipboard

Published 20 hours ago verified publisher icon duo-labs

Use policyuniverse

Open 0xdabbad00 opened this issue 7 years ago • 3 comments

Use https://github.com/netflix-skunkworks/policyuniverse instead of https://github.com/duo-labs/cloudtracker/blob/master/cloudtracker/init.py#L80 and aws_api_list.txt. This would also support NotAction (https://github.com/duo-labs/cloudtracker/blob/33852a6f70e839b357b62722b66a2e317c440943/cloudtracker/init.py#L69). This could also help with the --ignore-benign flag to more accurately identify benign actions beyond List* and Describe*.

Need to push changes to that project to support some of CloudTracker's needs.

0xdabbad00 avatar Feb 16 '18 21:02 0xdabbad00

policyuniverse is largely focused on resource policies, such as those attached to an S3 bucket or ElasticSearch cluster, and not IAM policies for actors. However, I filed https://github.com/Netflix-Skunkworks/policyuniverse/issues/8 in order to start things moving so that library can be used here.

0xdabbad00 avatar Mar 09 '18 21:03 0xdabbad00

Assuming you're aware of this: https://awspolicygen.s3.amazonaws.com/js/policies.js I think that's where policyuniverse sources the IAM info.

bobrich avatar Jun 29 '18 03:06 bobrich

@bobrich Thanks, I just wrote up some notes on IAM vs APIs vs CloudTrail yesterday actually where I noted that data source: https://summitroute.com/blog/2018/06/28/aws_iam_vs_api_vs_cloudtrail/

My existing approach in CloudTracker is very unclean and misses a lot of the points I note in that blog. I need to revisit how I've approached a lot of the things with CloudTracker to account for all of that.

0xdabbad00 avatar Jun 29 '18 14:06 0xdabbad00