### Install and Serve Node.js Dependencies
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema
These npm commands are used to install the necessary Node.js dependencies and start a local server to view the generated HTML report.
```bash
npm install
npm serve
```
--------------------------------
### Install Cloudsplaining with Homebrew
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/installation
Use this command to tap the Cloudsplaining repository and install the tool using Homebrew.
```bash
brew tap salesforce/cloudsplaining https://github.com/salesforce/cloudsplaining
brew install cloudsplaining
```
--------------------------------
### Generate Example Report
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/report
Run this command from the root directory to generate an example report. This is useful for testing the report functionality without a full scan.
```bash
make generate-report
```
--------------------------------
### Set Up Virtual Environment and Sync Dependencies
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Use this command to create a virtual environment and install project dependencies.
```bash
python3 -m venv ./venv && source venv/bin/activate
uv sync --frozen
```
--------------------------------
### Install Project Dependencies
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Install all necessary project dependencies using npm. This command should be run from the root directory of the project.
```bash
npm install
```
--------------------------------
### Install Cloudsplaining with Pip3
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/installation
Use this command to install Cloudsplaining using the Pip3 package manager.
```bash
pip3 install --user cloudsplaining
```
--------------------------------
### Setup Local Development Environment
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Run this command to set up your local Python development environment.
```bash
make setup-env
```
--------------------------------
### Serve Local Development Report
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Start a local development server to view the report application, using sample data. This command leverages preconfigured npm scripts.
```bash
# Option 1: npm, as defined in package.json
npm run serve
# Option 2: Makefile
make serve-js
```
--------------------------------
### Generate Example Report Script
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema
This command runs a Python script to generate an example report. This is useful for quickly viewing the latest updates without performing a full scan.
```bash
./utils/generate_example_report.py
```
--------------------------------
### Serve Javascript Report Locally
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Serve the example Javascript report locally for development purposes.
```bash
make serve-js
```
--------------------------------
### Example IAM Authorization Details JSON
Source: https://cloudsplaining.readthedocs.io/en/latest
This is an example entry from the raw JSON output file ('default-iam-results.json'). It shows details about an IAM policy, including account ID, policy name, ARN, and the actions/services it covers. This data can be parsed for automated issue tracking.
```json
{
"example-authz-details": [
{
"AccountID": "012345678901",
"ManagedBy": "Customer",
"PolicyName": "InsecureUserPolicy",
"Arn": "arn:aws:iam::012345678901:user/userwithlotsofpermissions",
"ActionsCount": 2,
"ServicesCount": 1,
"Actions": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Services": [
"s3"
]
}
]
}
```
--------------------------------
### Example Multi-Account Configuration File
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts
A sample `multi-account-config.yml` file showing the format for specifying AWS account IDs. Customize account names and IDs to match your environment.
```yaml
accounts:
default_account: 123456789012
prod: 123456789013
test: 123456789014
```
--------------------------------
### Generate Example IAM Data Script
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema
This command executes a Python script to update the example IAM data JSON files. It first updates a local JSON file and then the JavaScript sample data file used by the HTML report.
```bash
./utils/generate_example_iam_data.py
```
--------------------------------
### Example Scan Policy File Output
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-policy-file
This output demonstrates the format of findings when scanning a policy file, highlighting issues like Data Exfiltration and Resource Exposure, along with the associated IAM actions.
```text
Issue found: Data Exfiltration
Actions: s3:GetObject
Issue found: Resource Exposure
Actions: ecr:DeleteRepositoryPolicy, ecr:SetRepositoryPolicy, s3:BypassGovernanceRetention, s3:DeleteAccessPointPolicy, s3:DeleteBucketPolicy, s3:ObjectOwnerOverrideToBucketOwner, s3:PutAccessPointPolicy, s3:PutAccountPublicAccessBlock, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutBucketPublicAccessBlock, s3:PutObjectAcl, s3:PutObjectVersionAcl
Issue found: Unrestricted Infrastructure Modification
Actions: ecr:BatchDeleteImage, ecr:CompleteLayerUpload, ecr:CreateRepository, ecr:DeleteLifecyclePolicy, ecr:DeleteRepository, ecr:DeleteRepositoryPolicy, ecr:InitiateLayerUpload, ecr:PutImage, ecr:PutImageScanningConfiguration, ecr:PutImageTagMutability, ecr:PutLifecyclePolicy, ecr:SetRepositoryPolicy, ecr:StartImageScan, ecr:StartLifecyclePolicyPreview, ecr:TagResource, ecr:UntagResource, ecr:UploadLayerPart, s3:AbortMultipartUpload, s3:BypassGovernanceRetention, s3:CreateAccessPoint, s3:CreateBucket, s3:DeleteAccessPoint, s3:DeleteAccessPointPolicy, s3:DeleteBucket, s3:DeleteBucketPolicy, s3:DeleteBucketWebsite, s3:DeleteObject, s3:DeleteObjectTagging, s3:DeleteObjectVersion, s3:DeleteObjectVersionTagging, s3:GetObject, s3:ObjectOwnerOverrideToBucketOwner, s3:PutAccelerateConfiguration, s3:PutAccessPointPolicy, s3:PutAnalyticsConfiguration, s3:PutBucketAcl, s3:PutBucketCORS, s3:PutBucketLogging, s3:PutBucketNotification, s3:PutBucketObjectLockConfiguration, s3:PutBucketPolicy, s3:PutBucketPublicAccessBlock, s3:PutBucketRequestPayment, s3:PutBucketTagging, s3:PutBucketVersioning, s3:PutBucketWebsite, s3:PutEncryptionConfiguration, s3:PutInventoryConfiguration, s3:PutLifecycleConfiguration, s3:PutMetricsConfiguration, s3:PutObject, s3:PutObjectAcl, s3:PutObjectLegalHold, s3:PutObjectRetention, s3:PutObjectTagging, s3:PutObjectVersionAcl, s3:PutObjectVersionTagging, s3:PutReplicationConfiguration, s3:ReplicateDelete, s3:ReplicateObject, s3:ReplicateTags, s3:RestoreObject, s3:UpdateJobPriority, s3:UpdateJobStatus
```
--------------------------------
### Check Node.js Version
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Verify that the installed Node.js version matches the project's requirement of v14.5.0.
```bash
node --version
# should return:
# v14.5.0
```
--------------------------------
### Example JSON Output for Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-account
This JSON structure represents the raw data from a cloudsplaining scan, detailing IAM policies, associated actions, and services. It can be used for programmatic analysis and integration with other tools.
```json
{
"example-authz-details": [
{
"AccountID": "012345678901",
"ManagedBy": "Customer",
"PolicyName": "InsecureUserPolicy",
"Arn": "arn:aws:iam::012345678901:user/userwithlotsofpermissions",
"ActionsCount": 2,
"ServicesCount": 1,
"Actions": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Services": [
"s3"
]
}
]
}
```
--------------------------------
### Create Policy Sentry CRUD Template
Source: https://cloudsplaining.readthedocs.io/en/latest/report/remediation
Generates a YAML template for Policy Sentry to define CRUD (Create, Read, Update, Delete) access. Use this to start defining your policy's scope.
```bash
policy_sentry create-template --output-file crud.yml --template-type crud
```
--------------------------------
### Add Python Binaries to PATH on macOS
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/troubleshooting
If you encounter issues executing Cloudsplaining commands, your system's PATH environment variable might not include the installed binary packages. This command adds the Python 3.7 binary directory to your PATH on macOS. Adjust the Python version if necessary.
```bash
export PATH=$HOME/Library/Python/3.7/bin/:$PATH
```
--------------------------------
### Build Documentation Locally
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Create the documentation files locally.
```bash
make build-docs
```
--------------------------------
### Clone Repository and Set Up Documentation Environment
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/documentation
Clone the Cloudsplaining repository and set up the virtual environment for building documentation. This includes syncing dependencies and building the HTML files.
```bash
# If you have a fork, you'll want to clone it instead
git clone git@github.com:salesforce/cloudsplaining.git
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
uv sync --frozen
# Create the HTML files
make build-docs
make serve-docs
# The above will open the built documentation in your browser
```
--------------------------------
### Serve Documentation Locally
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Serve the documentation files locally as you edit them.
```bash
make serve-docs
```
--------------------------------
### Generate Sample Report
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Use this Python script to generate a new sample report. The report will be created at /index.html.
```bash
python3 ./utils/generate_example_report.py
```
--------------------------------
### Run Unit Tests
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Execute the project's unit tests. This can be done using either the npm script or the Makefile target.
```bash
# Option 1: npm, as defined in package.json
npm run test
# Option 2: Makefile
make test-js
```
--------------------------------
### Serve JavaScript Locally
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Use this command to serve the application locally for development. Access the application at http://localhost:8080.
```bash
npm serve
# You can then access the application over http://localhost:8080
```
--------------------------------
### Build JavaScript Bundle
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
Generate the production-ready JavaScript bundle for the application. This command is available via npm scripts or the Makefile.
```bash
# Option 1: npm, as defined in package.json
npm build
# Option 2: Makefile
make build-js
```
--------------------------------
### Download Account Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download
Run this command to download account authorization details. Ensure you are authenticated to AWS and have the necessary IAM permissions.
```bash
cloudsplaining download
```
--------------------------------
### Download Account Authorization Details with Profile
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download
Use this command to download account authorization details when using a specific AWS profile from your `~/.aws/credentials` file.
```bash
cloudsplaining download --profile myprofile
```
--------------------------------
### Create Multi-Account Configuration File
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts
Generates a template YAML file for defining AWS accounts to be scanned. Edit this file to include your desired account names and IDs.
```bash
cloudsplaining create-multi-account-config-file \
-o multi-account-config.yml
```
--------------------------------
### Run Cloudsplaining Scan with Exclusions File
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/create-exclusions-file
After creating an exclusions file, use this command to include it in your Cloudsplaining scan. This ensures that context-dependent findings are correctly filtered.
```bash
cloudsplaining scan --exclusions-file exclusions.yml --input-file examples/files/example.json --output examples/files/
```
--------------------------------
### Generate Javascript Bundle
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Generate the updated Javascript bundle.
```bash
make build-js
```
--------------------------------
### Update Project Version
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/versioning
Edit the `version.py` file to update the version variable. This change is automatically picked up by `setup.py` and the Click version option.
```python
__version__ = '0.0.1' # EDIT THIS
```
--------------------------------
### Generate Exclusions File Template
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/create-exclusions-file
Use this command to create a template for your exclusions file. This file helps eliminate context-dependent false positives.
```bash
cloudsplaining create-exclusions-file
```
--------------------------------
### Run Javascript Unit Tests
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Execute unit tests for the Javascript code.
```bash
make test-js
```
--------------------------------
### Scan IAM Policy File with Cloudsplaining
Source: https://cloudsplaining.readthedocs.io/en/latest/report/validation
Use this command to scan a single JSON policy file with Cloudsplaining. Ensure you have the policy file and an optional exclusions file ready.
```bash
cloudsplaining scan-policy-file --input-file policy.json --exclusions-file exclusions.yml
```
--------------------------------
### Run Jira Ticket Automation Script
Source: https://cloudsplaining.readthedocs.io/en/latest/appendices/jira-ticket-automation
Execute the `open_jira_ticket.py` script with specified project, authentication, report, triage, data files, and Jira server URL.
```bash
python open_jira_ticket.py \
--project PROJ \
--auth-file authz.json \
--report-file report.html \
--triage-file triage.csv \
--data-file data.json \
--server http://myserver.atlassian.net
```
--------------------------------
### Build JavaScript Bundles
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
This command builds new JavaScript bundle files using webpack. It generates bundled application code and dependency bundles.
```bash
npm build
```
--------------------------------
### Run Python Security Tests
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/testing
Execute all Python security tests locally. This command should be run from the root of the repository.
```bash
make security-test
```
--------------------------------
### Format and Lint Python Code
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Automatically format and lint the Python code using ruff.
```bash
prek run -a
```
--------------------------------
### Generate Report
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Generate the updated report.
```bash
make generate-report
```
--------------------------------
### Download Account Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview
Downloads the Account Authorization details JSON file for a specified AWS profile.
```bash
cloudsplaining download --profile default --output default-account-details.json
```
--------------------------------
### Download AWS Account Authorization Details with Specific Profile
Source: https://cloudsplaining.readthedocs.io/en/latest
Use this command to download AWS account authorization details when using a specific profile from your `~/.aws/credentials` file. This allows for targeted credential usage.
```bash
cloudsplaining download --profile myprofile
```
--------------------------------
### Scan a Single Policy File
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-policy-file
Use this command to scan a specific IAM policy file for security risks. The output will detail findings and list IAM actions that do not leverage resource constraints.
```bash
cloudsplaining scan-policy-file --input-file examples/policies/explicit-actions.json
```
--------------------------------
### Create Custom Exclusions File
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview
Generates a custom exclusions file in YAML format to filter out false positives.
```bash
cloudsplaining create-exclusions-file --output-file exclusions.yml
```
--------------------------------
### Run Python Unit Tests
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/python
Execute unit tests for the Python code using pytest.
```bash
make test
```
--------------------------------
### Scan Account Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/overview
Scans the Account Authorization details using a specified input file and exclusions file. Generates an HTML report and a raw JSON data file.
```bash
cloudsplaining scan --input-file default-account-details.json --exclusions-file exclusions.yml
```
--------------------------------
### Scan AWS Account Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-account
Use this command to scan all AWS IAM policies from a downloaded account authorization file. Specify exclusion and input files, and an output directory for the report.
```bash
cloudsplaining scan --exclusions-file exclusions.yml --input-file examples/files/example.json --output examples/files/
```
--------------------------------
### Download AWS Account Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest
This command downloads IAM authorization details for an entire AWS account, which is necessary for comprehensive account scanning. Ensure your AWS credentials and IAM permissions (e.g., iam:GetAccountAuthorizationDetails) are configured.
```bash
cloudsplaining download
```
--------------------------------
### Write Policy Sentry Policy
Source: https://cloudsplaining.readthedocs.io/en/latest/report/remediation
Generates a secure IAM policy based on a provided YAML input file. This command automates the creation of policies with resource ARN constraints.
```bash
policy_sentry write-policy --input-file crud.yml
```
--------------------------------
### Python Class for Authorization Details
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/results-json-schema
This Python code defines the `AuthorizationDetails` class, which is responsible for generating the JSON data file. It includes a `results` property that structures the IAM data into a dictionary.
```python
class AuthorizationDetails:
"""
Represents the entire JSON file generated by the aws iam get-account-authorization-details command.
"""
#...
#...
@property
def results(self):
"""Get the new JSON format of the Principals data"""
results = {
"groups": self.group_detail_list.json,
"users": self.user_detail_list.json,
"roles": self.role_detail_list.json,
"aws_managed_policies": self.policies.json_large_aws_managed,
"customer_managed_policies": self.policies.json_large_customer_managed,
"inline_policies": self.inline_policies,
"exclusions": self.exclusions.config
}
return results
```
--------------------------------
### Scan Multiple Accounts
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/scan-multiple-accounts
Executes a Cloudsplaining scan across multiple AWS accounts defined in a configuration file. Specify the AWS credentials profile, the role name to assume in target accounts, and an S3 bucket for storing results.
```bash
cloudsplaining scan-multi-account \
-c multi-account-config.yml \
--profile scanning-user \
--role-name CommonSecurityRole \
--output-bucket my-results-bucket
```
--------------------------------
### Lint IAM Policies with Parliament
Source: https://cloudsplaining.readthedocs.io/en/latest/report/validation
Use Parliament to lint your IAM policy file for common issues like malformed JSON, incorrect elements, and bad policy patterns. This command reviews the specified policy file.
```bash
parliament --file policy.json
```
--------------------------------
### Cloudsplaining Template HTML Structure
Source: https://cloudsplaining.readthedocs.io/en/latest/contributing/javascript
This HTML structure is used by Cloudsplaining to inject scan results and JavaScript bundles. It utilizes Jinja2 templating for dynamic content.
```html
<-- NOTE: The **contents** of the `chunk-vendors.js` file, which contains the javascript code for third party dependencies (compiled with webpack) is injected here-->
<-- NOTE: The **contents** of the `index.bundle.js` file, which contains the application code (compiled with webpack) is injected here-->
```
--------------------------------
### List of Resource Exposure Actions
Source: https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure
This is a comprehensive list of AWS actions considered to be 'Resource Exposure' actions. These actions can modify resource policies or otherwise expose AWS resources.
```text
acm-pca:CreatePermission
acm-pca:DeletePermission
acm-pca:DeletePolicy
acm-pca:PutPolicy
apigateway:UpdateRestApiPolicy
backup:DeleteBackupVaultAccessPolicy
backup:PutBackupVaultAccessPolicy
chime:DeleteVoiceConnectorTerminationCredentials
chime:PutVoiceConnectorTerminationCredentials
cloudformation:SetStackPolicy
cloudsearch:UpdateServiceAccessPolicies
codeartifact:DeleteDomainPermissionsPolicy
codeartifact:DeleteRepositoryPermissionsPolicy
codebuild:DeleteResourcePolicy
codebuild:DeleteSourceCredentials
codebuild:ImportSourceCredentials
codebuild:PutResourcePolicy
codeguru-profiler:PutPermission
codeguru-profiler:RemovePermission
codestar:AssociateTeamMember
codestar:CreateProject
codestar:DeleteProject
codestar:DisassociateTeamMember
codestar:UpdateTeamMember
cognito-identity:CreateIdentityPool
cognito-identity:DeleteIdentities
cognito-identity:DeleteIdentityPool
cognito-identity:GetId
cognito-identity:MergeDeveloperIdentities
cognito-identity:SetIdentityPoolRoles
cognito-identity:UnlinkDeveloperIdentity
cognito-identity:UnlinkIdentity
cognito-identity:UpdateIdentityPool
deeplens:AssociateServiceRoleToAccount
ds:CreateConditionalForwarder
ds:CreateDirectory
ds:CreateMicrosoftAD
ds:CreateTrust
ds:ShareDirectory
ec2:CreateNetworkInterfacePermission
ec2:DeleteNetworkInterfacePermission
ec2:ModifySnapshotAttribute
ec2:ModifyVpcEndpointServicePermissions
ec2:ResetSnapshotAttribute
ecr:DeleteRepositoryPolicy
ecr:SetRepositoryPolicy
elasticfilesystem:DeleteFileSystemPolicy
elasticfilesystem:PutFileSystemPolicy
elasticmapreduce:PutBlockPublicAccessConfiguration
es:CreateElasticsearchDomain
es:UpdateElasticsearchDomainConfig
glacier:AbortVaultLock
glacier:CompleteVaultLock
glacier:DeleteVaultAccessPolicy
glacier:InitiateVaultLock
glacier:SetDataRetrievalPolicy
glacier:SetVaultAccessPolicy
glue:DeleteResourcePolicy
glue:PutResourcePolicy
greengrass:AssociateServiceRoleToAccount
health:DisableHealthServiceAccessForOrganization
health:EnableHealthServiceAccessForOrganization
iam:AddClientIDToOpenIDConnectProvider
iam:AddRoleToInstanceProfile
iam:AddUserToGroup
iam:AttachGroupPolicy
iam:AttachRolePolicy
iam:AttachUserPolicy
iam:ChangePassword
iam:CreateAccessKey
iam:CreateAccountAlias
iam:CreateGroup
iam:CreateInstanceProfile
iam:CreateLoginProfile
iam:CreateOpenIDConnectProvider
iam:CreatePolicy
iam:CreatePolicyVersion
iam:CreateRole
iam:CreateSAMLProvider
iam:CreateServiceLinkedRole
iam:CreateServiceSpecificCredential
iam:CreateUser
iam:CreateVirtualMFADevice
iam:DeactivateMFADevice
iam:DeleteAccessKey
iam:DeleteAccountAlias
iam:DeleteAccountPasswordPolicy
iam:DeleteGroup
iam:DeleteGroupPolicy
iam:DeleteInstanceProfile
iam:DeleteLoginProfile
iam:DeleteOpenIDConnectProvider
iam:DeletePolicy
iam:DeletePolicyVersion
iam:DeleteRole
iam:DeleteRolePermissionsBoundary
iam:DeleteRolePolicy
iam:DeleteSAMLProvider
iam:DeleteSSHPublicKey
iam:DeleteServerCertificate
iam:DeleteServiceLinkedRole
iam:DeleteServiceSpecificCredential
iam:DeleteSigningCertificate
iam:DeleteUser
iam:DeleteUserPermissionsBoundary
iam:DeleteUserPolicy
iam:DeleteVirtualMFADevice
iam:DetachGroupPolicy
iam:DetachRolePolicy
iam:DetachUserPolicy
iam:EnableMFADevice
iam:PassRole
iam:PutGroupPolicy
iam:PutRolePermissionsBoundary
iam:PutRolePolicy
iam:PutUserPermissionsBoundary
iam:PutUserPolicy
iam:RemoveClientIDFromOpenIDConnectProvider
iam:RemoveRoleFromInstanceProfile
iam:RemoveUserFromGroup
iam:ResetServiceSpecificCredential
iam:ResyncMFADevice
iam:SetDefaultPolicyVersion
iam:SetSecurityTokenServicePreferences
iam:UpdateAccessKey
iam:UpdateAccountPasswordPolicy
iam:UpdateAssumeRolePolicy
iam:UpdateGroup
iam:UpdateLoginProfile
iam:UpdateOpenIDConnectProviderThumbprint
iam:UpdateRole
iam:UpdateRoleDescription
iam:UpdateSAMLProvider
iam:UpdateSSHPublicKey
iam:UpdateServerCertificate
iam:UpdateServiceSpecificCredential
iam:UpdateSigningCertificate
iam:UpdateUser
iam:UploadSSHPublicKey
```
--------------------------------
### Required AWS IAM Policy for Download
Source: https://cloudsplaining.readthedocs.io/en/latest/user-guide/download
This JSON policy grants the minimum required permissions for the `cloudsplaining download` command to run successfully, specifically allowing the `iam:GetAccountAuthorizationDetails` action.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetAccountAuthorizationDetails"
],
"Resource": "*"
}
]
}
```
--------------------------------
### Default Exclusions File Structure
Source: https://cloudsplaining.readthedocs.io/en/latest
This is the default structure of the 'exclusions.yml' file. It allows you to specify policies, roles, users, and groups to exclude from evaluation, as well as actions to include or exclude.
```yaml
# Policy names to exclude from evaluation
# Suggestion: Add policies here that are known to be overly permissive by design, after you run the initial report.
policies:
- "AWSServiceRoleFor*"
- "*ServiceRolePolicy"
- "*ServiceLinkedRolePolicy"
- "AdministratorAccess" # Otherwise, this will take a long time
- "service-role*"
- "aws-service-role*"
# Don't evaluate these roles, users, or groups as part of the evaluation
roles:
- "service-role*"
- "aws-service-role*"
users:
- ""
groups:
- ""
# Read-only actions to include in the results, such as s3:GetObject
# By default, it includes Actions that could lead to Data Exfiltration
include-actions:
- "s3:GetObject"
- "ssm:GetParameter"
- "ssm:GetParameters"
- "ssm:GetParametersByPath"
- "secretsmanager:GetSecretValue"
# Write actions to include from the results, such as kms:Decrypt
exclude-actions:
- ""
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.