### Install and Serve Node.js Dependencies Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema These npm commands are used to install the necessary Node.js dependencies and start a local server to view the generated HTML report. ```bash npm install npm serve ``` -------------------------------- ### Install Cloudsplaining with Homebrew Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/installation Use this command to tap the Cloudsplaining repository and install the tool using Homebrew. ```bash brew tap salesforce/cloudsplaining https://github.com/salesforce/cloudsplaining brew install cloudsplaining ``` -------------------------------- ### Generate Example Report Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/report Run this command from the root directory to generate an example report. This is useful for testing the report functionality without a full scan. ```bash make generate-report ``` -------------------------------- ### Set Up Virtual Environment and Sync Dependencies Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Use this command to create a virtual environment and install project dependencies. ```bash python3 -m venv ./venv && source venv/bin/activate uv sync --frozen ``` -------------------------------- ### Install Project Dependencies Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Install all necessary project dependencies using npm. This command should be run from the root directory of the project. ```bash npm install ``` -------------------------------- ### Install Cloudsplaining with Pip3 Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/installation Use this command to install Cloudsplaining using the Pip3 package manager. ```bash pip3 install --user cloudsplaining ``` -------------------------------- ### Setup Local Development Environment Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Run this command to set up your local Python development environment. ```bash make setup-env ``` -------------------------------- ### Serve Local Development Report Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Start a local development server to view the report application, using sample data. This command leverages preconfigured npm scripts. ```bash # Option 1: npm, as defined in package.json npm run serve # Option 2: Makefile make serve-js ``` -------------------------------- ### Generate Example Report Script Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema This command runs a Python script to generate an example report. This is useful for quickly viewing the latest updates without performing a full scan. ```bash ./utils/generate_example_report.py ``` -------------------------------- ### Serve Javascript Report Locally Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Serve the example Javascript report locally for development purposes. ```bash make serve-js ``` -------------------------------- ### Example IAM Authorization Details JSON Source: https://cloudsplaining.readthedocs.io/en/latest This is an example entry from the raw JSON output file ('default-iam-results.json'). It shows details about an IAM policy, including account ID, policy name, ARN, and the actions/services it covers. This data can be parsed for automated issue tracking. ```json { "example-authz-details": [ { "AccountID": "012345678901", "ManagedBy": "Customer", "PolicyName": "InsecureUserPolicy", "Arn": "arn:aws:iam::012345678901:user/userwithlotsofpermissions", "ActionsCount": 2, "ServicesCount": 1, "Actions": [ "s3:PutObject", "s3:PutObjectAcl" ], "Services": [ "s3" ] } ] } ``` -------------------------------- ### Example Multi-Account Configuration File Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts A sample `multi-account-config.yml` file showing the format for specifying AWS account IDs. Customize account names and IDs to match your environment. ```yaml accounts: default_account: 123456789012 prod: 123456789013 test: 123456789014 ``` -------------------------------- ### Generate Example IAM Data Script Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema This command executes a Python script to update the example IAM data JSON files. It first updates a local JSON file and then the JavaScript sample data file used by the HTML report. ```bash ./utils/generate_example_iam_data.py ``` -------------------------------- ### Example Scan Policy File Output Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-policy-file This output demonstrates the format of findings when scanning a policy file, highlighting issues like Data Exfiltration and Resource Exposure, along with the associated IAM actions. ```text Issue found: Data Exfiltration Actions: s3:GetObject Issue found: Resource Exposure Actions: ecr:DeleteRepositoryPolicy, ecr:SetRepositoryPolicy, s3:BypassGovernanceRetention, s3:DeleteAccessPointPolicy, s3:DeleteBucketPolicy, s3:ObjectOwnerOverrideToBucketOwner, s3:PutAccessPointPolicy, s3:PutAccountPublicAccessBlock, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutBucketPublicAccessBlock, s3:PutObjectAcl, s3:PutObjectVersionAcl Issue found: Unrestricted Infrastructure Modification Actions: ecr:BatchDeleteImage, ecr:CompleteLayerUpload, ecr:CreateRepository, ecr:DeleteLifecyclePolicy, ecr:DeleteRepository, ecr:DeleteRepositoryPolicy, ecr:InitiateLayerUpload, ecr:PutImage, ecr:PutImageScanningConfiguration, ecr:PutImageTagMutability, ecr:PutLifecyclePolicy, ecr:SetRepositoryPolicy, ecr:StartImageScan, ecr:StartLifecyclePolicyPreview, ecr:TagResource, ecr:UntagResource, ecr:UploadLayerPart, s3:AbortMultipartUpload, s3:BypassGovernanceRetention, s3:CreateAccessPoint, s3:CreateBucket, s3:DeleteAccessPoint, s3:DeleteAccessPointPolicy, s3:DeleteBucket, s3:DeleteBucketPolicy, s3:DeleteBucketWebsite, s3:DeleteObject, s3:DeleteObjectTagging, s3:DeleteObjectVersion, s3:DeleteObjectVersionTagging, s3:GetObject, s3:ObjectOwnerOverrideToBucketOwner, s3:PutAccelerateConfiguration, s3:PutAccessPointPolicy, s3:PutAnalyticsConfiguration, s3:PutBucketAcl, s3:PutBucketCORS, s3:PutBucketLogging, s3:PutBucketNotification, s3:PutBucketObjectLockConfiguration, s3:PutBucketPolicy, s3:PutBucketPublicAccessBlock, s3:PutBucketRequestPayment, s3:PutBucketTagging, s3:PutBucketVersioning, s3:PutBucketWebsite, s3:PutEncryptionConfiguration, s3:PutInventoryConfiguration, s3:PutLifecycleConfiguration, s3:PutMetricsConfiguration, s3:PutObject, s3:PutObjectAcl, s3:PutObjectLegalHold, s3:PutObjectRetention, s3:PutObjectTagging, s3:PutObjectVersionAcl, s3:PutObjectVersionTagging, s3:PutReplicationConfiguration, s3:ReplicateDelete, s3:ReplicateObject, s3:ReplicateTags, s3:RestoreObject, s3:UpdateJobPriority, s3:UpdateJobStatus ``` -------------------------------- ### Check Node.js Version Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Verify that the installed Node.js version matches the project's requirement of v14.5.0. ```bash node --version # should return: # v14.5.0 ``` -------------------------------- ### Example JSON Output for Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-account This JSON structure represents the raw data from a cloudsplaining scan, detailing IAM policies, associated actions, and services. It can be used for programmatic analysis and integration with other tools. ```json { "example-authz-details": [ { "AccountID": "012345678901", "ManagedBy": "Customer", "PolicyName": "InsecureUserPolicy", "Arn": "arn:aws:iam::012345678901:user/userwithlotsofpermissions", "ActionsCount": 2, "ServicesCount": 1, "Actions": [ "s3:PutObject", "s3:PutObjectAcl" ], "Services": [ "s3" ] } ] } ``` -------------------------------- ### Create Policy Sentry CRUD Template Source: https://cloudsplaining.readthedocs.io/en/latest/report/remediation Generates a YAML template for Policy Sentry to define CRUD (Create, Read, Update, Delete) access. Use this to start defining your policy's scope. ```bash policy_sentry create-template --output-file crud.yml --template-type crud ``` -------------------------------- ### Add Python Binaries to PATH on macOS Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/troubleshooting If you encounter issues executing Cloudsplaining commands, your system's PATH environment variable might not include the installed binary packages. This command adds the Python 3.7 binary directory to your PATH on macOS. Adjust the Python version if necessary. ```bash export PATH=$HOME/Library/Python/3.7/bin/:$PATH ``` -------------------------------- ### Build Documentation Locally Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Create the documentation files locally. ```bash make build-docs ``` -------------------------------- ### Clone Repository and Set Up Documentation Environment Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/documentation Clone the Cloudsplaining repository and set up the virtual environment for building documentation. This includes syncing dependencies and building the HTML files. ```bash # If you have a fork, you'll want to clone it instead git clone git@github.com:salesforce/cloudsplaining.git # Set up the virtual environment python3 -m venv ./venv && source venv/bin/activate uv sync --frozen # Create the HTML files make build-docs make serve-docs # The above will open the built documentation in your browser ``` -------------------------------- ### Serve Documentation Locally Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Serve the documentation files locally as you edit them. ```bash make serve-docs ``` -------------------------------- ### Generate Sample Report Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Use this Python script to generate a new sample report. The report will be created at /index.html. ```bash python3 ./utils/generate_example_report.py ``` -------------------------------- ### Run Unit Tests Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Execute the project's unit tests. This can be done using either the npm script or the Makefile target. ```bash # Option 1: npm, as defined in package.json npm run test # Option 2: Makefile make test-js ``` -------------------------------- ### Serve JavaScript Locally Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Use this command to serve the application locally for development. Access the application at http://localhost:8080. ```bash npm serve # You can then access the application over http://localhost:8080 ``` -------------------------------- ### Build JavaScript Bundle Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript Generate the production-ready JavaScript bundle for the application. This command is available via npm scripts or the Makefile. ```bash # Option 1: npm, as defined in package.json npm build # Option 2: Makefile make build-js ``` -------------------------------- ### Download Account Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download Run this command to download account authorization details. Ensure you are authenticated to AWS and have the necessary IAM permissions. ```bash cloudsplaining download ``` -------------------------------- ### Download Account Authorization Details with Profile Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download Use this command to download account authorization details when using a specific AWS profile from your `~/.aws/credentials` file. ```bash cloudsplaining download --profile myprofile ``` -------------------------------- ### Create Multi-Account Configuration File Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts Generates a template YAML file for defining AWS accounts to be scanned. Edit this file to include your desired account names and IDs. ```bash cloudsplaining create-multi-account-config-file \ -o multi-account-config.yml ``` -------------------------------- ### Run Cloudsplaining Scan with Exclusions File Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/create-exclusions-file After creating an exclusions file, use this command to include it in your Cloudsplaining scan. This ensures that context-dependent findings are correctly filtered. ```bash cloudsplaining scan --exclusions-file exclusions.yml --input-file examples/files/example.json --output examples/files/ ``` -------------------------------- ### Generate Javascript Bundle Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Generate the updated Javascript bundle. ```bash make build-js ``` -------------------------------- ### Update Project Version Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/versioning Edit the `version.py` file to update the version variable. This change is automatically picked up by `setup.py` and the Click version option. ```python __version__ = '0.0.1' # EDIT THIS ``` -------------------------------- ### Generate Exclusions File Template Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/create-exclusions-file Use this command to create a template for your exclusions file. This file helps eliminate context-dependent false positives. ```bash cloudsplaining create-exclusions-file ``` -------------------------------- ### Run Javascript Unit Tests Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Execute unit tests for the Javascript code. ```bash make test-js ``` -------------------------------- ### Scan IAM Policy File with Cloudsplaining Source: https://cloudsplaining.readthedocs.io/en/latest/report/validation Use this command to scan a single JSON policy file with Cloudsplaining. Ensure you have the policy file and an optional exclusions file ready. ```bash cloudsplaining scan-policy-file --input-file policy.json --exclusions-file exclusions.yml ``` -------------------------------- ### Run Jira Ticket Automation Script Source: https://cloudsplaining.readthedocs.io/en/latest/appendices/jira-ticket-automation Execute the `open_jira_ticket.py` script with specified project, authentication, report, triage, data files, and Jira server URL. ```bash python open_jira_ticket.py \ --project PROJ \ --auth-file authz.json \ --report-file report.html \ --triage-file triage.csv \ --data-file data.json \ --server http://myserver.atlassian.net ``` -------------------------------- ### Build JavaScript Bundles Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript This command builds new JavaScript bundle files using webpack. It generates bundled application code and dependency bundles. ```bash npm build ``` -------------------------------- ### Run Python Security Tests Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/testing Execute all Python security tests locally. This command should be run from the root of the repository. ```bash make security-test ``` -------------------------------- ### Format and Lint Python Code Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Automatically format and lint the Python code using ruff. ```bash prek run -a ``` -------------------------------- ### Generate Report Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Generate the updated report. ```bash make generate-report ``` -------------------------------- ### Download Account Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview Downloads the Account Authorization details JSON file for a specified AWS profile. ```bash cloudsplaining download --profile default --output default-account-details.json ``` -------------------------------- ### Download AWS Account Authorization Details with Specific Profile Source: https://cloudsplaining.readthedocs.io/en/latest Use this command to download AWS account authorization details when using a specific profile from your `~/.aws/credentials` file. This allows for targeted credential usage. ```bash cloudsplaining download --profile myprofile ``` -------------------------------- ### Scan a Single Policy File Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-policy-file Use this command to scan a specific IAM policy file for security risks. The output will detail findings and list IAM actions that do not leverage resource constraints. ```bash cloudsplaining scan-policy-file --input-file examples/policies/explicit-actions.json ``` -------------------------------- ### Create Custom Exclusions File Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview Generates a custom exclusions file in YAML format to filter out false positives. ```bash cloudsplaining create-exclusions-file --output-file exclusions.yml ``` -------------------------------- ### Run Python Unit Tests Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python Execute unit tests for the Python code using pytest. ```bash make test ``` -------------------------------- ### Scan Account Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview Scans the Account Authorization details using a specified input file and exclusions file. Generates an HTML report and a raw JSON data file. ```bash cloudsplaining scan --input-file default-account-details.json --exclusions-file exclusions.yml ``` -------------------------------- ### Scan AWS Account Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-account Use this command to scan all AWS IAM policies from a downloaded account authorization file. Specify exclusion and input files, and an output directory for the report. ```bash cloudsplaining scan --exclusions-file exclusions.yml --input-file examples/files/example.json --output examples/files/ ``` -------------------------------- ### Download AWS Account Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest This command downloads IAM authorization details for an entire AWS account, which is necessary for comprehensive account scanning. Ensure your AWS credentials and IAM permissions (e.g., iam:GetAccountAuthorizationDetails) are configured. ```bash cloudsplaining download ``` -------------------------------- ### Write Policy Sentry Policy Source: https://cloudsplaining.readthedocs.io/en/latest/report/remediation Generates a secure IAM policy based on a provided YAML input file. This command automates the creation of policies with resource ARN constraints. ```bash policy_sentry write-policy --input-file crud.yml ``` -------------------------------- ### Python Class for Authorization Details Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema This Python code defines the `AuthorizationDetails` class, which is responsible for generating the JSON data file. It includes a `results` property that structures the IAM data into a dictionary. ```python class AuthorizationDetails: """ Represents the entire JSON file generated by the aws iam get-account-authorization-details command. """ #... #... @property def results(self): """Get the new JSON format of the Principals data""" results = { "groups": self.group_detail_list.json, "users": self.user_detail_list.json, "roles": self.role_detail_list.json, "aws_managed_policies": self.policies.json_large_aws_managed, "customer_managed_policies": self.policies.json_large_customer_managed, "inline_policies": self.inline_policies, "exclusions": self.exclusions.config } return results ``` -------------------------------- ### Scan Multiple Accounts Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts Executes a Cloudsplaining scan across multiple AWS accounts defined in a configuration file. Specify the AWS credentials profile, the role name to assume in target accounts, and an S3 bucket for storing results. ```bash cloudsplaining scan-multi-account \ -c multi-account-config.yml \ --profile scanning-user \ --role-name CommonSecurityRole \ --output-bucket my-results-bucket ``` -------------------------------- ### Lint IAM Policies with Parliament Source: https://cloudsplaining.readthedocs.io/en/latest/report/validation Use Parliament to lint your IAM policy file for common issues like malformed JSON, incorrect elements, and bad policy patterns. This command reviews the specified policy file. ```bash parliament --file policy.json ``` -------------------------------- ### Cloudsplaining Template HTML Structure Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript This HTML structure is used by Cloudsplaining to inject scan results and JavaScript bundles. It utilizes Jinja2 templating for dynamic content. ```html <-- NOTE: The **contents** of the `chunk-vendors.js` file, which contains the javascript code for third party dependencies (compiled with webpack) is injected here--> <-- NOTE: The **contents** of the `index.bundle.js` file, which contains the application code (compiled with webpack) is injected here--> ``` -------------------------------- ### List of Resource Exposure Actions Source: https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure This is a comprehensive list of AWS actions considered to be 'Resource Exposure' actions. These actions can modify resource policies or otherwise expose AWS resources. ```text acm-pca:CreatePermission acm-pca:DeletePermission acm-pca:DeletePolicy acm-pca:PutPolicy apigateway:UpdateRestApiPolicy backup:DeleteBackupVaultAccessPolicy backup:PutBackupVaultAccessPolicy chime:DeleteVoiceConnectorTerminationCredentials chime:PutVoiceConnectorTerminationCredentials cloudformation:SetStackPolicy cloudsearch:UpdateServiceAccessPolicies codeartifact:DeleteDomainPermissionsPolicy codeartifact:DeleteRepositoryPermissionsPolicy codebuild:DeleteResourcePolicy codebuild:DeleteSourceCredentials codebuild:ImportSourceCredentials codebuild:PutResourcePolicy codeguru-profiler:PutPermission codeguru-profiler:RemovePermission codestar:AssociateTeamMember codestar:CreateProject codestar:DeleteProject codestar:DisassociateTeamMember codestar:UpdateTeamMember cognito-identity:CreateIdentityPool cognito-identity:DeleteIdentities cognito-identity:DeleteIdentityPool cognito-identity:GetId cognito-identity:MergeDeveloperIdentities cognito-identity:SetIdentityPoolRoles cognito-identity:UnlinkDeveloperIdentity cognito-identity:UnlinkIdentity cognito-identity:UpdateIdentityPool deeplens:AssociateServiceRoleToAccount ds:CreateConditionalForwarder ds:CreateDirectory ds:CreateMicrosoftAD ds:CreateTrust ds:ShareDirectory ec2:CreateNetworkInterfacePermission ec2:DeleteNetworkInterfacePermission ec2:ModifySnapshotAttribute ec2:ModifyVpcEndpointServicePermissions ec2:ResetSnapshotAttribute ecr:DeleteRepositoryPolicy ecr:SetRepositoryPolicy elasticfilesystem:DeleteFileSystemPolicy elasticfilesystem:PutFileSystemPolicy elasticmapreduce:PutBlockPublicAccessConfiguration es:CreateElasticsearchDomain es:UpdateElasticsearchDomainConfig glacier:AbortVaultLock glacier:CompleteVaultLock glacier:DeleteVaultAccessPolicy glacier:InitiateVaultLock glacier:SetDataRetrievalPolicy glacier:SetVaultAccessPolicy glue:DeleteResourcePolicy glue:PutResourcePolicy greengrass:AssociateServiceRoleToAccount health:DisableHealthServiceAccessForOrganization health:EnableHealthServiceAccessForOrganization iam:AddClientIDToOpenIDConnectProvider iam:AddRoleToInstanceProfile iam:AddUserToGroup iam:AttachGroupPolicy iam:AttachRolePolicy iam:AttachUserPolicy iam:ChangePassword iam:CreateAccessKey iam:CreateAccountAlias iam:CreateGroup iam:CreateInstanceProfile iam:CreateLoginProfile iam:CreateOpenIDConnectProvider iam:CreatePolicy iam:CreatePolicyVersion iam:CreateRole iam:CreateSAMLProvider iam:CreateServiceLinkedRole iam:CreateServiceSpecificCredential iam:CreateUser iam:CreateVirtualMFADevice iam:DeactivateMFADevice iam:DeleteAccessKey iam:DeleteAccountAlias iam:DeleteAccountPasswordPolicy iam:DeleteGroup iam:DeleteGroupPolicy iam:DeleteInstanceProfile iam:DeleteLoginProfile iam:DeleteOpenIDConnectProvider iam:DeletePolicy iam:DeletePolicyVersion iam:DeleteRole iam:DeleteRolePermissionsBoundary iam:DeleteRolePolicy iam:DeleteSAMLProvider iam:DeleteSSHPublicKey iam:DeleteServerCertificate iam:DeleteServiceLinkedRole iam:DeleteServiceSpecificCredential iam:DeleteSigningCertificate iam:DeleteUser iam:DeleteUserPermissionsBoundary iam:DeleteUserPolicy iam:DeleteVirtualMFADevice iam:DetachGroupPolicy iam:DetachRolePolicy iam:DetachUserPolicy iam:EnableMFADevice iam:PassRole iam:PutGroupPolicy iam:PutRolePermissionsBoundary iam:PutRolePolicy iam:PutUserPermissionsBoundary iam:PutUserPolicy iam:RemoveClientIDFromOpenIDConnectProvider iam:RemoveRoleFromInstanceProfile iam:RemoveUserFromGroup iam:ResetServiceSpecificCredential iam:ResyncMFADevice iam:SetDefaultPolicyVersion iam:SetSecurityTokenServicePreferences iam:UpdateAccessKey iam:UpdateAccountPasswordPolicy iam:UpdateAssumeRolePolicy iam:UpdateGroup iam:UpdateLoginProfile iam:UpdateOpenIDConnectProviderThumbprint iam:UpdateRole iam:UpdateRoleDescription iam:UpdateSAMLProvider iam:UpdateSSHPublicKey iam:UpdateServerCertificate iam:UpdateServiceSpecificCredential iam:UpdateSigningCertificate iam:UpdateUser iam:UploadSSHPublicKey ``` -------------------------------- ### Required AWS IAM Policy for Download Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download This JSON policy grants the minimum required permissions for the `cloudsplaining download` command to run successfully, specifically allowing the `iam:GetAccountAuthorizationDetails` action. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetAccountAuthorizationDetails" ], "Resource": "*" } ] } ``` -------------------------------- ### Default Exclusions File Structure Source: https://cloudsplaining.readthedocs.io/en/latest This is the default structure of the 'exclusions.yml' file. It allows you to specify policies, roles, users, and groups to exclude from evaluation, as well as actions to include or exclude. ```yaml # Policy names to exclude from evaluation # Suggestion: Add policies here that are known to be overly permissive by design, after you run the initial report. policies: - "AWSServiceRoleFor*" - "*ServiceRolePolicy" - "*ServiceLinkedRolePolicy" - "AdministratorAccess" # Otherwise, this will take a long time - "service-role*" - "aws-service-role*" # Don't evaluate these roles, users, or groups as part of the evaluation roles: - "service-role*" - "aws-service-role*" users: - "" groups: - "" # Read-only actions to include in the results, such as s3:GetObject # By default, it includes Actions that could lead to Data Exfiltration include-actions: - "s3:GetObject" - "ssm:GetParameter" - "ssm:GetParameters" - "ssm:GetParametersByPath" - "secretsmanager:GetSecretValue" # Write actions to include from the results, such as kms:Decrypt exclude-actions: - "" ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.