iann0036/iamlive iann0036/iamlive

  • Stars
    star
    3,096
  • Rank 14,519 (Top 0.3 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 4 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
iann0036/iamlive
github

iann0036

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy

iamlive

Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy

Installation

Pre-built binaries

Pre-built binaries for Windows, macOS and Linux are available for download in the project releases.

Once downloaded, place the extracted binary in your $PATH (or execute in-place). For macOS users, you may need to allow the application to run via System Preferences.

Build with Go

To build and install this application, clone this repository and execute the following from it's base:

go install

You must have Go 1.16 or later installed for the build to work.

Homebrew

You may also install this application using a Homebrew tap with the following command:

brew install iann0036/iamlive/iamlive

Other Methods

Usage

To start the listener, simply run iamlive in a separate window to your CLI / SDK application. You can use Ctrl+C to exit when you are done.

CLI Arguments

You can optionally also include the following arguments to the iamlive command:

--set-ini: when set, the .aws/config file will be updated to use the CSM monitoring or CA bundle and removed when exiting (default: false)

--profile: use the specified profile when combined with --set-ini (default: default)

--fails-only: when set, only failed AWS calls will be added to the policy, csm mode only (default: false)

--output-file: specify a file that will be written to on SIGHUP or exit (default: unset)

--refresh-rate: instead of flushing to console every API call, do it this number of seconds (default: 0)

--sort-alphabetical: sort actions alphabetically (default: false)

--host: host to listen on for CSM (default: 127.0.0.1)

--background: when set, the process will return the current PID and run in the background without output (default: false)

--force-wildcard-resource: when set, the Resource will always be a wildcard (default: false)

--mode: the listening mode (csm,proxy) (default: csm)

--bind-addr: the bind address for proxy mode (default: 127.0.0.1:10080)

--ca-bundle: the CA certificate bundle (PEM) to use for proxy mode (default: ~/.iamlive/ca.pem)

--ca-key: the CA certificate key to use for proxy mode (default: ~/.iamlive/ca.key)

--account-id: the AWS account ID to use in policy outputs within proxy mode (default: 123456789012 unless detected)

Basic Example (CSM Mode)

iamlive --set-ini

Basic Example (Proxy Mode)

iamlive --set-ini --mode proxy

Comprehensive Example (CSM Mode)

iamlive --set-ini --profile myprofile --fails-only --output-file policy.json --refresh-rate 1 --sort-alphabetical --host 127.0.0.1 --background

Comprehensive Example (Proxy Mode)

iamlive --set-ini --mode proxy --profile myprofile --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012 --background --force-wildcard-resource

The arguments may also be specified in an INI file located at ~/.iamlive/config.

CSM Mode

Client-side monitoring mode is the default behaviour and will use metrics delivered locally via UDP to capture policy statements with the Action key only (Resource is only available in proxy mode).

CLI

To enable CSM in the AWS CLI, you should either use the --set-ini option or add the following to the relevant profile in .aws/config:

csm_enabled = true

Alternatively, you can run the following in the window executing your CLI commands:

export AWS_CSM_ENABLED=true

SDKs

To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:

export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1

Proxy Mode

Proxy mode will serve a local HTTP(S) server (by default at http://127.0.0.1:10080) that will inspect requests sent to the AWS endpoints before forwarding on to generate IAM policy statements with both Action and Resource keys. The CA key/certificate pair will be automatically generated and stored within ~/.iamlive/ by default.

CLI

To set the appropriate CA bundle in the AWS CLI, you should either use the --set-ini option or add the following to the relevant profile in .aws/config:

ca_bundle = ~/.iamlive/ca.pem

Alternatively, you can run the following in the window executing your CLI commands:

export AWS_CA_BUNDLE=~/.iamlive/ca.pem

You must also set the proxy settings for your session by running the following in the window executing your CLI commands:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080

SDKs

To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem

Check the official docs for further details on setting the CA bundle.

FAQs

I get a message "package embed is not in GOROOT" when attempting to build myself

This project requires Go 1.16 or above to be built correctly (due to embedding feature).

Acknowledgements

This project makes use of Parliament and was assisted by Scott Piper's CSM explainer. Thanks also to Noam Dahan's research into missing iam:PassRole dependant actions.

More Repositories

1

former2

Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources.
JavaScript
2,228
star
2

AWSConsoleRecorder

Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates.
CSS
1,425
star
3

aws-account-controller

Self-service creation and deletion of sandbox-style accounts.
JavaScript
344
star
4

iam-dataset

A consolidated cloud IAM dataset
Python
228
star
5

iamfast

AWS IAM policy generation from application code
JavaScript
170
star
6

aws-leastprivilege

Generates an IAM policy for the CloudFormation service role that adheres to least privilege.
Python
110
star
7

AWSConsoleRecorderGenerator

A helper extension that is used to assist in the development of the Console Recorder for AWS.
JavaScript
101
star
8

aws.permissions.cloud

A crowdsourced AWS IAM permissions reference.
JavaScript
88
star
9

cloud9-sync

Live Sync for AWS Cloud9 - Synchronize your VS Code workspace with the AWS Cloud9 service.
JavaScript
77
star
10

aws-pagination-rules

The rules for pagination in AWS SDKs
66
star
11

wildfire

Record browser actions then replay immediately. Craft your own custom automation workflows.
JavaScript
65
star
12

aws-bill-export

Download AWS bills from the console programmatically.
JavaScript
59
star
13

cfn-tf-custom-types

CloudFormation Custom Types for Terraform resources.
Python
57
star
14

vscode-aws-cloudshell

(Unofficial) AWS CloudShell plugin for VS Code
TypeScript
54
star
15

iamlive-lambda-extension

Lambda Extension for iamlive
Go
43
star
16

bandersnatch-graph

Graphing all possibilities in the Netflix Black Mirror episode, "Bandersnatch"
Python
42
star
17

censor-shell

Censors or hides shell / Bash / console output based on defined patterns - great for hiding secrets in demos!
Go
41
star
18

hcl2cdktf

Converts HCL to Terraform CDK
JavaScript
40
star
19

cfn-stack-rename

Rename a CloudFormation stack
Python
36
star
20

amazon-connect-cfn

Create Amazon Connect instances, contact flows etc. with CloudFormation
JavaScript
35
star
21

cfn-remediate-drift

Automated CloudFormation drift remediation using Import functionality
Python
26
star
22

tf-cfn-provider

Transform to add support for all Terraform providers as CloudFormation resources.
Python
24
star
23

tree-view-cfn

Force CloudFormation to generate a tree view for any stack
Python
18
star
24

gcp.permissions.cloud

A crowdsourced Google Cloud IAM permissions reference.
JavaScript
18
star
25

azure.permissions.cloud

A crowdsourced Azure RBAC permissions reference.
JavaScript
16
star
26

polai

A Cedar policy language lexer, parser & evaluator
Go
15
star
27

auto-capacity-reservations

Automatically assigns EC2 capacity reservations based on the number of instances active.
Python
14
star
28

codepipeline-cost-compare

Compare the costs of V1 and V2 CodePipeline types based on historic usage
Python
13
star
29

iann0036

Public README
CSS
12
star
30

honeycode-appflow-integration

Add Honeycode as a destination from AppFlow
JavaScript
12
star
31

honeycode-export

Export Honeycode table data to S3
JavaScript
11
star
32

cfn-analyse

CloudFormation static analysis tool.
Python
11
star
33

former2-helper

A browser extension to help avoid CORS issues for former2.com
JavaScript
11
star
34

cfn-guard-rules

A collection of CloudFormation Guard 2.0 rules
Python
10
star
35

iamfast-vscode

AWS IAM policy generation from application code in VS Code
TypeScript
9
star
36

aws-erd

AWS Entity Relationship Diagram Generator.
JavaScript
9
star
37

cfnfmt

CloudFormation template style formatter [WORK IN PROGRESS]
JavaScript
8
star
38

iamfast-python

Python
7
star
39

CloudFormationMultiCloud

Add support for Azure and Google Cloud resources in CloudFormation.
Python
7
star
40

cfn-hooks

CloudFormation Hooks Samples
Python
6
star
41

vpc-lattice-demo

A demonstration stack featuring Amazon VPC Lattice
6
star
42

pg-init-custom-resource

A CloudFormation Custom Resource for initialising an RDS Postgres database.
Python
6
star
43

cfn-rps-lint

Automatically lints your AWS CloudFormation Resource Provider JSON Schema
TypeScript
6
star
44

cfn-types

Example CloudFormation Custom Resource Types
Java
6
star
45

session-manager-cli

Attempts to reverse engineer the AWS Session Manager CLI
Go
6
star
46

cloud9-sso

Add Cloud9 environments to AWS SSO
JavaScript
5
star
47

aurora-activity-streams-sechub

Analyse database activity with Aurora Database Activity Streams and send findings to Security Hub
Python
5
star
48

Lone-Tab

A Chrome extension to have unique sessions per tab.
JavaScript
5
star
49

Security-Hub-Custom-Provider-Demo

An AWS Security Hub Custom Findings provider, using the Have I Been Pwned API
Python
5
star
50

toyxks

Basic (toy) External Key Store for AWS KMS
Go
4
star
51

iamfast-core

[ABANDONED APPROACH] AWS IAM policy generation from application code
TypeScript
4
star
52

chess-dot-com-state-machine-sample

An AWS Step Functions sample using the Chess.com API
3
star
53

deepcomposer-upload

Upload a single-track MIDI to the AWS DeepComposer service
JavaScript
3
star
54

CAP

Common Alerting Protocol
PHP
3
star
55

lambda-codepipeline-custom-action

Lambda-backed custom action type provider for CodePipeline.
3
star
56

Touch-Bar-Browser-Integration

Objective-C
3
star
57

textract-demo

Demonstration of Amazon Textract using its Boto3 library
Python
2
star
58

cedargo

Go bindings for Cedar policy evaluation engine
Rust
2
star
59

iamfast-go

Go
1
star
60

reCaptcha-Breaker-Chrome-Extension

Automatically solves the audio section of the reCAPTCHA system. To use, simply open the audio section of the reCAPTCHA system.
PHP
1
star
61

iamfast-java

Java
1
star
62

aws-cedar-auth-frontend

Frontend for iann0036/aws-cedar-auth
CSS
1
star
63

airjargon

Aviation Terms Translator
HTML
1
star
64

ManicYak

PHP
1
star
65

ManicHost

JavaScript
1
star
66

homebrew-iamlive

Homebrew Formulae for iamlive
Ruby
1
star
67

iac-history

Random work for a chart
Python
1
star
68

newsfeeder

News Feeder is a news feed aggregator service, which compiles content from multiple online content sources. Its main purpose is to provide a single location and format to view news content instead of users having to access multiple websites for their specific news. News Feeder was a University of Wollongong CSCI321 project.
PHP
1
star