Aaia : AWS Identity & Access Management Visualizer & Anomaly Finder

Aaia (pronounced as shown here ) helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j. This helps in identifying the outliers easily. Since it is based on neo4j , one can query the graph using cypher queries to find the anomalies.

It also supports modules to programmatically fetch data from neo4j database and process it in a custom fashion. This is mostly useful if any complex comparison or logic has to be applied which otherwise would not be easy through cypher queries.

Installation

Install the neo4j Database

Instructions here

Setup the username , password and bolt connection uri in Aaia.conf file. An example format is given in Aaia.conf file already.

Also Read – Lsassy : Extract Credentials From Lsass Remotel

Install OS dependency

Debian :-

apt-get install awscli jq

Redhat / Fedora / Centos / Amazon Linux :-

yum install awscli jq

Note:

These packages are needed for Aaia_aws_collector.sh script. Ensure these packages are present in the base system from where the collector script is being run.

Clone this repository

git clone https://github.com/rams3sh/Aaia
cd Aaia/

Create a virtual environment

python3 -m venv env

Activate the virtual environment

source env/bin/activate

Note: Aaia depends on pyjq library which is not stable in windows currently. Hence Aaia is not supported for Windows OS.

Install the dependencies

python -m pip install -r requirements.txt

Using Aaia

Setting up Permissions in AWS

Aaia would require following AWS permissions for collector script to collect relevant data from AWS

iam:GenerateCredentialReport
iam:GetCredentialReport
iam:GetAccountAuthorizationDetails
iam:ListUsers
iam:GetUser
iam:ListGroups
iam:ListRoles
iam:GetRole
iam:GetPolicy
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:ListAccountAliases
organizations:ListAccountsForParent
organizations:ListOrganizationalUnitsForParent
organizations:DescribeOrganization
organizations:ListRoots
organizations:ListAccounts
organizations:ListTagsForResource
organizations:ListPolicies
organizations:ListTargetsForPolicy
organizations:DescribePolicy
organizations:ListAWSServiceAccessForOrganization

“Organizations” related permissions can be ommitted. However , all the above mentioned “IAM” related permissions are necessary.

Ensure the permissions are available to the user / role / any aws principal which will be used for collection of data for the collector script.

Collecting Data From AWS

Ensure you have aws credentials configured. Refer this for help.

Once the crendential is setup.

Run:-

./Aaia_aws_collector.sh <profile_name>

Ensure the output format of the aws profile being used for data collection is set to json as Aaia expects the data collected to be in json format.

Note:-

In case of a requirement where data has to be collected from another instance; copy “Aaia_aws_collector.sh” file to the remote instance , run it and copy the generated “offline_data” folder to the Aaia path in the instance where Aaia is setup and carry on with following steps. This will be helpful in cases of consulting or client audit.

Loading the collected data to Neo4j DB

python Aaia.py -n -a load_data

-n supports “all” as value which means load all data collected and present within offline_data folder.

Note:

Please ensure you do not have profile as “all” in the credentials file as it may conflict with the argument. 😛

Now we are ready to use Aaia.

Audit IAM through a custom module

As of now , a sample module is given as a skeleton example. One can consider this as a reference for building custom modules.

python Aaia.py -n all -m iam_sample_audit

Demo

Screenshots

A sample visual of a dummy AWS Account’s IAM

A sample visual of a result of a cypher query to find all relations of a user in AWS IAM

R K

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

7 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

7 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

8 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

11 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

11 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 day ago