• Stars
    star
    771
  • Rank 58,926 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Least privilege AWS IAM Terraformer

Maintained by Bridgecrew.io code_coverage Terraform Version build PyPI Downloads slack-community

AirIAM is an AWS IAM to least privilege Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method.

AirIAM was created to promote immutable and version-controlled IAM management to replace today's manual and error prone methods.

Table of contents

Introduction

AirIAM scans existing IAM usage patterns and provides a simple method to migrate IAM configurations into a right-sized Terraform plan. It identifies unused users, roles, groups, policies and policy attachments and replaces them with a Least Privileges Terraform code modelled to manage AWS IAM.

By moving all IAM configurations into Terraform code, admins can start tracking, auditing and modifying IAM configurations as part of their standard infrastructure-as-code development provisioning processes.

AirIAM is battle-tested and is recommended for use in Dev, QA and test environments that have been previously managed by humans. It is design to result in minimal impact on existing workloads.

If you are interested in migrating a Prod account, contact us at [email protected] for some helpful tips.

flow

Features

  • Detects unused IAM resources using native AWS and Amazon Access Advisor APIs.
  • Provides scripts to remove unused entities en-masse.
  • Effortless migration of existing IAM configurations into a simple Least Privileges Terraform model.
  • Integrates with Checkov, a static-code analysis tool for Terraform, to track unwanted configuration changes and configuration drift.

Commands

  • find_unused - Detects unused users, roles, groups, policies and policy attachments. It also adds links to automation scripts that could remove these entities entirely using Bridgecrew Community. Learn more about these scripts and automation.

      usage: airiam find_unused [-h] [-p PROFILE] [-l LAST_USED_THRESHOLD]
                            [--no-cache] [-o {cli}]
    
      optional arguments:
        -h, --help            show this help message and exit
        -p PROFILE, --profile PROFILE
                              AWS profile to be used (default: None)
        -l LAST_USED_THRESHOLD, --last-used-threshold LAST_USED_THRESHOLD
                              "Last Used" threshold, in days, for an entity to be
                              considered unused (default: 90)
        --no-cache            Generate a fresh set of data from AWS IAM API calls
                              (default: False)
        -o {cli}, --output {cli}
                              Output format (default: OutputFormat.cli)
  • recommend_groups - Identifies what permissions are in use and creates 3 generalized groups according to that usage. Supported groups:

    • Admins - Users who have the AdministratorAccess policy attached. It will be added to the admins group which will have the managed policy arn:aws:iam::aws:policy/AdministratorAccess attached.
    • PowerUsers - Users who have write access to any of the services. In case of more than 10 policies being attached to that group, a number of groups will be created for PowerUsers, and the relevant users will be members of all of them.
    • ReadOnly - Users who only have read access to the account. Will be members of the readonly group which will have the managed policy arn:aws:iam::aws:policy/ReadOnlyAccess attached.
      usage: airiam recommend_groups [-h] [-p PROFILE] [-o {cli}]
                                     [-l LAST_USED_THRESHOLD] [--no-cache]
      
      optional arguments:
        -h, --help            show this help message and exit
        -p PROFILE, --profile PROFILE
                              AWS profile to be used (default: None)
        -o {cli}, --output {cli}
                              Output format (default: OutputFormat.cli)
        -l LAST_USED_THRESHOLD, --last-used-threshold LAST_USED_THRESHOLD
                              "Last Used" threshold, in days, for an entity to be
                              considered unused (default: 90)
        --no-cache            Generate a fresh set of data from AWS IAM API calls
                              (default: False)
  • terraform - Creates Terraform files based on the outputs and the transformations applied by the optional arguments supplied.

      usage: airiam terraform [-h] [-p PROFILE] [-d DIRECTORY] [--without-unused]
                              [--without-groups] [-l LAST_USED_THRESHOLD]
                              [--no-cache] [--without-import]
      
      optional arguments:
        -h, --help            show this help message and exit
        -p PROFILE, --profile PROFILE
                              AWS profile to be used (default: None)
        -d DIRECTORY, --directory DIRECTORY
                              Path where the output terraform code and state will be
                              stored (default: results)
        --without-unused      Create terraform code without unused entities
                              (default: False)
        --without-groups      Create terraform code without recommendation for user
                              groups (default: False)
        -l LAST_USED_THRESHOLD, --last-used-threshold LAST_USED_THRESHOLD
                              "Last Used" threshold, in days, for an entity to be
                              considered unused (default: 90)
        --no-cache            Generate a fresh set of data from AWS IAM API calls
                              (default: False)
        --without-import      Import the resulting entities to terraform's state
                              file. Note - this might take a long time (default:
                              False)

    Important notes for terraform command:

    a. AirIAM replaces all hardcoded values with the matching terraform references, which results in replacements of all group memberships and policy attachments. If this is run using a user, please make sure the user has the relevant privileges directly attached. A matching warning will be displayed if relevant.

    c. AirIAM tags all the resources it touched so it will be easy to identify the entities which are not managed through AirIAM. This results in terraform modifying the relevant entities by adding these tags.

    d. By default, AirIAM will import the currently existing IAM entities and their relationships, which might take a while depending on the number of configurations.

Usage

The three commands above run sequentially, and in-sync, as seen in the diagram below.

When executing, AirIAM starts by scanning a selected AWS account using the specified profile. If find_unused is specified, the results are printed and the execution completes. If recommend_groups is specified, after the stage of group recommendation the results are printed and the execution completes. If the terraform command is specified it takes all the results and creates the Terraform code and state file required to replace the existing IAM configuration.

Data Flow

Data Flow

Examples

Example Movie

Getting Started

Installation

Using Pip

pip3 install airiam --user

Using brew (MacOS Only)

brew tap bridgecrewio/airiam https://github.com/bridgecrewio/airiam
brew update
brew install airiam

Recommended Flow

The recommended workflow for using this tool is as follows:

  1. Run the find_unused command and delete the unused access keys + unused console logins - these cannot be migrated to terraform because they hold secrets known only to the relevant user - his password and private credentials.
  2. Run the terraform command without any flags, creating a terraform setup that mirrors your existing IAM setup. This will take a while as all of the entities will be imported to your state file
  3. Commit the terraform files (without the state file) to a new repository.
  4. Run the terraform command again, this time with the flag --without-import and --without-unused. This will edit the .tf files to contain only the entities that are in use.
  5. Create a new branch and commit the new terraform files.
  6. Create a Pull Request / Merge Request from this branch to the default branch. Check out the differences and make sure all the changes are good. Consult relevant stakeholders in your organization if necessary.
  7. After approval - merge the PR and apply the changes using terraform apply. Please note this action will require Admin IAM access to the account.

FAQ

If you run into the following error:

airiam is not recognized as an internal or external command

Please make sure python is in your PATH by running the following command:

export PATH="/Users//Library/Python/3.7/bin:$PATH"

Alternatives

AWS IAM Cleanup Tools

For AWS IAM usage scanners check out CloudTracker, Trailscraper, Aadvark & Repokid. The main difference between these tools and AirIAM is that AirIAM also moves the problem into static terraform code form, which allows an entire set of code analysis tools to manage and identify deviations and changes.

AWS IAM Policy Management Tools

For static IAM policy linting, check out Parliament. Parliament is actually integrated into AirIAM, and is run on the policies it gets from your AWS account.

For automatically creating IAM policies and managing them as code, check out aws-iam-generator, PolicySentry.

Cloudsplaining is another tool from salesforce that analyzes existing IAM set-up and identifies risky / over privileged roles.

These tools help create better policies, but do not help with existing AWS IAM set-up.

Migration of AWS to Terraform Tools

For other tools that help migrate existing AWS IAM set-up to terraform, check out terracognita and terraforming. AirIAM is the only tool which supports migrating all relevant IAM entities to terraform v0.12.

Contributing

Contribution is welcomed!

We would love to hear about other IAM governance models for additional use cases as well as new ways to identify over-permissive IAM resources.

Support

Bridgecrew builds and maintains AirIAM to encourage the adoption of IAM-as-code and enforcement of IAM Rightsizing and Least Privileges best practices in policy-as-code.

Start with our Documentation for quick tutorials and examples.

If you need direct support you can contact us at [email protected].

More Repositories

1

checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Python
7,015
star
2

terragoat

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
HCL
1,139
star
3

yor

Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.
Go
812
star
4

checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
HCL
238
star
5

cfngoat

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
91
star
6

helm-scanner

Open source IaC security scanner for public Helm charts
Python
87
star
7

bridgecrew-action

This GitHub Action runs Bridgecrew against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
72
star
8

checkov-vscode

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework, and other infrastructure-as-code-languages with Checkov by Bridgecrew in your VSCODE IDE.
TypeScript
68
star
9

kustomizegoat

Vulnerable Kustomize Kubernetes templates for training and education
HTML
47
star
10

terraform-aws-session-manager

Terraform module for deploying AWS Session Manager
HCL
43
star
11

cdkgoat

CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Python
43
star
12

redshirts

TypeScript
20
star
13

terraform-aws-route53-backup-restore

A module that backs up and restores route53 zones and records
Python
20
star
14

yor-action

Github action for Yor
TypeScript
16
star
15

HowCrew

Super-powered know how tools for AWS and GCP cloud security
Python
14
star
16

bridgecrew-orb

This CircleCI Orb Action runs Bridgecrew analysis of Infrastructure-as-Code repository. Bridgecrerw performs static security analysis of Terraform, CloudFormation and Kubernetes Infrastructure code security
11
star
17

whorf

Python
10
star
18

cdk-validator-checkov

AWS CDK policy validation plugin powered by checkov
TypeScript
7
star
19

bicepgoat

BicepGoat is Bridgecrew's "Vulnerable by Design" Bicep and ARM repository. BicepGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Bicep
7
star
20

jsonpath-ng

Finally, a JSONPath implementation for Python that aims to be standard compliant. That's all. Enjoy it.
Python
6
star
21

cloud-security-notebooks

Jupyter notebooks of various cloud security subjects
Jupyter Notebook
6
star
22

aws-collect-unused-security-groups

Track unused security groups of an AWS account over period of time with control of the interval to sample the security groups
JavaScript
6
star
23

terraform-provider-bridgecrew

USE https://github.com/paloaltonetworks/terraform-provider-bridgecrew
Go
5
star
24

terraform-aws-secured-postgresql-rds

A Terraform module to create an Amazon Web Services (AWS) PostgreSQL Relational Database Server (RDS) in a VPC, NAT implementing security best practices.
HCL
5
star
25

bridgecrew-integrations

Integrations that supported by Bridgecrew. Each integration collect data from different sensors and send the log data to Bridgecrew
HCL
4
star
26

aws-modernization-workshop-bridgecrew

HTML
4
star
27

bridgecrew-kubernetes

Resources for Kubernetes
4
star
28

terraform-aws-bridgecrew-read-only

Bridgecrew READ ONLY integration module
HCL
4
star
29

terraform-aws-bridgecrew-cloudtrail

Integrate your AWS account Cloudtrail with Bridgecrew
HCL
4
star
30

terraform-google-bridgecrew-gcp-read-only

Connecting your GCP project to Bridgecrew
HCL
3
star
31

checkov-jetbrains-ide

Checkov is a static code analysis tool for infrastructure as code.The Checkov Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
3
star
32

terraform-azurerm-bridgecrew-azure-read-only

Read Only module to connect Azure subscriptions to https://bridgecrew.cloud
HCL
3
star
33

bc-pipeline-utils

utils for jenkins pipelines
Groovy
2
star
34

sample-custom-checks

Example custom checks to use with the Checkov CLI.
Python
2
star
35

bc-toolbox

Bridgecrew utility scripts and more.
JavaScript
2
star
36

terraform-aws-bridgecrew-remediation

HCL
2
star
37

prisma-cloud-vscode-plugin

TypeScript
2
star
38

fluentd-dlp

Dockerfile
1
star
39

docker-syslog-integration

JavaScript
1
star
40

WHP_IaC_Scanning

A repository for the We Hack Purple mini-course on IaC scanning with Checkov. (https://checkov.io)
HCL
1
star
41

checkov-pre-receive-hooks

Shell
1
star
42

yor-choco

PowerShell
1
star
43

bridgecrew-py

Shell
1
star
44

iam-alerting-cleanup

Python
1
star
45

prisma-cloud-jetbrains-ide

The Prisma cloud Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
1
star