Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
import boto3
import json
import argparse
import sys
import time
import threading
# Global variable to control the spinner animation
stop_spinner = False
def get_aws_profile_details(profile_name):
session = boto3.Session(profile_name=profile_name)
return {
'Region': session.region_name,
'Profile': profile_name
}
def list_user_policies(iam_client, user_name):
try:
response = iam_client.list_user_policies(UserName=user_name)
return response['PolicyNames']
except Exception as e:
print(f"Error listing policies for user '{user_name}': {e}")
return []
def get_user_policy(iam_client, user_name, policy_name):
try:
response = iam_client.get_user_policy(UserName=user_name, PolicyName=policy_name)
return response['PolicyDocument']
except Exception as e:
print(f"Error getting policy '{policy_name}' for user '{user_name}': {e}")
return None
def print_pretty_json(data):
print(json.dumps(data, indent=4, sort_keys=True))
def print_aws_profile_info(profile_details):
print("\n" + "="*60)
print(" AWS Profile Information ")
print("="*60)
print(f" Profile Name: {profile_details['Profile']}")
print(f" Region: {profile_details['Region']}")
print("="*60)
def print_iam_user_info(iam_client, user_name):
try:
user = iam_client.get_user(UserName=user_name)
print("\n" + "="*60)
print(" IAM User Details ")
print("="*60)
print(f" User Name: {user_name}")
print(f" User ARN: {user['User']['Arn']}")
print(f" User Creation Date: {user['User']['CreateDate']}")
print("="*60)
except iam_client.exceptions.NoSuchEntityException:
print(f"User '{user_name}' does not exist.")
except Exception as e:
print(f"Error fetching details for user '{user_name}': {e}")
def list_and_print_users(iam_client):
try:
response = iam_client.list_users()
users = response.get('Users', [])
if not users:
print("\nNo IAM users found.")
return
print("\n" + "="*60)
print(" IAM Users List ")
print("="*60)
for user in users:
user_name = user['UserName']
print(f"User Name: {user_name}")
print(f"User ARN: {user['Arn']}")
print(f"User Creation Date: {user['CreateDate']}")
print("-" * 60)
except Exception as e:
print(f"Error listing users: {e}")
def spinner():
spin_chars = ['|', '/', '-', '\\']
while not stop_spinner:
for char in spin_chars:
sys.stdout.write(f'\rLoading... {char}')
sys.stdout.flush()
time.sleep(0.1)
def enumerate_iam_policies(user_name, profile_name, show_profile, show_user, list_users):
global stop_spinner
# Start spinner animation
stop_spinner = False
spinner_thread = threading.Thread(target=spinner)
spinner_thread.start()
# Initialize a session using Amazon IAM
session = boto3.Session(profile_name=profile_name)
iam_client = session.client('iam')
# Stop spinner animation
stop_spinner = True
spinner_thread.join()
# Print AWS Profile Information
profile_details = get_aws_profile_details(profile_name)
print("\nSuccessfully connected to AWS.")
print_aws_profile_info(profile_details)
if list_users:
# List and print all IAM users
list_and_print_users(iam_client)
return
if show_profile:
# Print AWS Profile Information
print_aws_profile_info(profile_details)
if show_user:
# Print IAM User Information
print_iam_user_info(iam_client, user_name)
# List user policies
policy_names = list_user_policies(iam_client, user_name)
if not policy_names:
print(f"\n{'='*60}")
print(f"No policies found for user '{user_name}'")
print(f"{'='*60}")
return
print(f"\n{'='*60}")
print(f" IAM Policies for User: {user_name}")
print(f"{'='*60}")
# Get details of each policy
for policy_name in policy_names:
sys.stdout.write(f'\rLoading policy: {policy_name} ...')
sys.stdout.flush()
policy_document = get_user_policy(iam_client, user_name, policy_name)
if policy_document:
print(f"\n{'-'*60}")
print(f" Policy Name: {policy_name}")
print(f"{'-'*60}")
print(" Policy Document:")
print_pretty_json(policy_document)
sys.stdout.write(f'\rLoading policy: {policy_name} ... done')
sys.stdout.flush()
def main():
parser = argparse.ArgumentParser(
description="IAM Policy Enumeration Tool - List and view IAM user policies."
)
parser.add_argument(
'-u', '--username',
required=False,
help="The IAM username whose policies you want to list. Required if --list-users is not used."
)
parser.add_argument(
'-p', '--profile',
default='default',
help="The AWS profile name to use for the session. Defaults to 'default'."
)
parser.add_argument(
'--show-profile',
action='store_true',
help="Print AWS profile details."
)
parser.add_argument(
'--show-user',
action='store_true',
help="Print IAM user details."
)
parser.add_argument(
'--list-users',
action='store_true',
help="List all IAM users."
)
parser.add_argument(
'-e', '--examples',
action='store_true',
help="Show usage examples."
)
args = parser.parse_args()
if args.examples:
print("\nUsage Examples:")
print("="*60)
print(f"1. Show IAM user details:")
print(f" python {sys.argv[0]} -u <username> -p <profile> --show-user")
print(f" Example: python {sys.argv[0]} -u manager_iam_privesc_by_key_rotation_cgidojok4gmfsc -p cloudgoat --show-user")
print()
print(f"2. Show AWS profile details:")
print(f" python {sys.argv[0]} -u <username> -p <profile> --show-profile")
print(f" Example: python {sys.argv[0]} -u manager_iam_privesc_by_key_rotation_cgidojok4gmfsc -p cloudgoat --show-profile")
print()
print(f"3. List all IAM users:")
print(f" python {sys.argv[0]} --list-users -p <profile>")
print(f" Example: python {sys.argv[0]} --list-users -p cloudgoat")
print()
print(f"4. List IAM policies for a specific user:")
print(f" python {sys.argv[0]} -u <username> -p <profile>")
print(f" Example: python {sys.argv[0]} -u manager_iam_privesc_by_key_rotation_cgidojok4gmfsc -p cloudgoat")
print("="*60)
return
# Initialize session and print connection details
print("\nConnecting to AWS...")
enumerate_iam_policies(args.username, args.profile, args.show_profile, args.show_user, args.list_users)
if __name__ == "__main__":
main()