Awesome
IAM Dataset
A consolidated series of structured data for cloud identity and access management systems, including datasets for AWS, Azure, and Google Cloud.
It is currently being used to support:
- iamlive
- iamfast
- aws.permissions.cloud
- azure.permissions.cloud
- gcp.permissions.cloud
- claws
- LocalStack
- Access Undenied
Tooling which assists in the generation of some datasources is located in the util/
directory.
AWS
For Amazon Web Services IAM, the primary datasources are map.json and iam_definition.json.
In order to assist with the creation of the map.json file, a custom mapping tool may be used to accelerate the process. The mapping tool is currently hosted at: https://iann0036.github.io/iam-dataset/util/index.html#
map.json
A comprehensive mapping from SDK calls to IAM actions, typically created with the assistance of the mapping tool.
map.json Template Syntax
${PropertyName}
- Variable substitution for the PropertyName
property
.
- A property within an object/map
[]
- For each value within the array
%%urlencode%${PropertyName}%%
- Performs a URL-encoding on the PropertyName
property
%%many%${PropertyName}%${PropertyName2}%${PropertyName3}%%
- For each of the PropertyName
, PropertyName2
& PropertyName3
properties (any length)
%%iftemplatematch%${ArnProperty}%%
- Only valid if the template matches the resource type's template
%%iftruthy%${PropertyName}%ValueIfTrue%ValueIfFalse%%
- Truthy test
%%regex%${PropertyName}%/(.+)/g%%
- Returns first capture group of Regex
iam_definition.json
A scraping of the AWS Service Authorization Reference, the AWS-provided reference of known IAM actions. It is generated using work from Parliament.
The file does have some post-crawl patching actions.
managedpolicies/name.json
The details of all AWS Managed Policies, including flags for whether the managed policy contains high sensitivity actions.
Azure
For Azure, the primary datasource is built-in-roles.json.
provider-operations.json
The direct output of the command az provider operation list
which retrieves all operations from all providers.
built-in-roles-raw.json
The output of the command az role definition list
with a query for all built-in roles.
built-in-roles.json
The aggregation of thr built-in roles and provider operations permitted by those built-in roles.
Google Cloud
For Google Cloud, the primary datasources are methods.json, permissions.json and role_permissions.json.
predefined_roles.json
The result of the command gcloud iam roles list
, including deleted roles, showing all predefined roles.
map.json
A map of IAM permissions required for each method. [WORK IN PROGRESS]
methods.json
The combination of the methods extracted from the Google Cloud Go SDK.
methods_ext.json
Same as methods.json, but with parameter information.
permissions.json
IAM Permissions as defined by the online IAM permissions reference.
role_permissions.json
A mapping of each permission and the roles which the permission has, including whether the containment is undocumented per the IAM permission reference.
roles/name.json
The result of the command gcloud iam roles describe "$name"
for all built-in roles.