cloudtracker icon indicating copy to clipboard operation
cloudtracker copied to clipboard
verified publisher icon duo-labs

CloudTracker Output

Open Subham-Sarkar-grokr opened this issue 5 years ago • 5 comments

Having an issue with the CloudTracker output. According to the documentation CloudTracker shows a diff of the privileges granted vs used. The symbols mean the following: "No symbol" means this privilege is used, so leave it as is. - A minus sign means the privilege was granted, but not used, so you should remove it. ? A question mark means the privilige was granted, but it is unknown if it was used because it is not recorded in CloudTrail. + A plus sign means the privilege was not granted, but was used. The only way this is possible is if the privilege was previously granted, used, and then removed, so you may want to add that privilege back.

I just needed to understand something about the output. For eg, the output to check the privileges for "X" role, lets say I got "+ iam:createrole" which means that privilege was previously granted and used but later removed, according to the documentation. But the "X" role has the permission to create roles, so the output should have been "no symbol" instead of "+" to iam:createrole. Am i right? Can anyone clarify this?

Subham-Sarkar-grokr avatar Sep 14 '20 19:09 Subham-Sarkar-grokr

The situation you are describing sounds like there is potentially a bug in CloudTracker if true. CloudTracker does have issues with figuring out the translation between some IAM privilege names and the action recorded in CloudTrail (for example the privilege s3:ListAllMyBuckets correlates to the API and CloudTrail recorded action s3:ListBuckets). The privilege and corresponding action for iam:CreateRole should be the same though, so that shouldn't be a problem.

0xdabbad00 avatar Sep 14 '20 22:09 0xdabbad00

Yes, if a privilege is allowed for the role and it is been used, the CloudTracker distinguishes it with a "no symbol" whereas if it is not allowed yet being used it comes under the "+" (plus) symbol category. In my case, not only for iam:CreateRole but there were many other actions which were allowed and used but the CloudTracker tracks it as "+" (plus) symbol which should not be the case, as it is clear that it should be tracked with "no symbol" in its output.

The "-" (minus) symbols were accurate though. Its the "+" (plus) and "no symbol" that I am concerned about in its output. Most of the actions which were allowed and used were tracked with "+" symbol. This is the issue I am facing with it.

Subham-Sarkar-grokr avatar Sep 22 '20 21:09 Subham-Sarkar-grokr

It sounds like something is wrong. My guess is the IAM policy data you have is incorrect somehow.

0xdabbad00 avatar Sep 23 '20 21:09 0xdabbad00

We are using this aws cli command "get-account-authorization-details" to get a copy of the IAM data right. It is correct.

Subham-Sarkar-grokr avatar Sep 25 '20 06:09 Subham-Sarkar-grokr

I am having the same issue with the "+" showing up even though the Role has the IAM permission. I believe it is related to a mismatch of what is in CloudTrail vs the permission on the policy. For instance, s3:putbucketencryption is reported in CloudTrail and the IAM Permission is s3:PutEncryptionConfiguration

4patelr avatar Feb 04 '21 18:02 4patelr