Multi cloud iam permissions enumeration tool. Currently covers:
- AWS
- GCP
- [TODO] Azure
- [TODO] Oracle
Description
Cliam is a simple cloud permissions identifier. There are two main components to the CLI. Most of the enumerated permissions are list, describe or get permissions. Only permissions that does not require a specific resource are tested.
enumerate
which can be used to enumerate specific permissions (recommended)- Some service providers have service groups that can check for permissions for a specific subset of services/resources.
Installation
Download the latest release. DEV tags are current, but not stable.
In order to build the binary locally, cd into the cli
directory and run make dev
Usage
Cliam works with credentials obtained from the services well known envars or from passing the commonly required flags from the cli.
It is highly recommond that command completions are set as most of the enumerate
options have to be specific. To generate completions, use cliam completion [shell]
and set according to your shells completion directory.
❯❯ cliam --help Cloud Enumerate is a tool to enumerate cloud credentials for their permissions. Usage: cliam [command] Available Commands: aws Enumerate AWS credentials for their permissions. completion Generate the autocompletion script for the specified shell gcp Enumerate GCP service accounts for their permissions. help Help about any command Flags: -h, --help help for cliam Additional help topics: cliam azure Enumerate Azure credentials for their permissions. Use "cliam [command] --help" for more information about a command.
AWS
Uses the AWS rest api to make a signed request using the passed in credentials. This greatly adds speed, but makes it a bit more challenging to keep up with adding new permissions. The issue of scale is that AWS uses 3 – 4 variety of requests at the service level
Supports obtaining credentials from AWS profile, flags, or default AWS environment variables like AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and optionally AWS_SESSION_TOKEN
.
<div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="cliam aws –help Enumerate AWS credentials for their permissions. Usage: cliam aws [command] Available Commands: common Enumerate permissions for common AWS resources. compute Enumerate permissions for common compute AWS resources. databases Enumerate permissions for common AWS database resources. enumerate Enumerate permissions for specified AWS resources. serverless Enumerate permissions for common serverless AWS resources. storage Enumerate permissions for common storage AWS resources. Flags: –access-key-id string AWS Access Key ID -h, –help help for aws –profile string AWS Profile. When profile is set, access-key-id, secret-access-key, and session-token are ignored. –region string AWS Region (default "us-east-1") –secret-access-key string AWS Secret Access Key –session-token string AWS Session Token Global Flags: –max-threads int Maximum number of threads to use. (default 5) –request-timeout int Timeout for each request in seconds. (default 10)”>
cliam aws --help Enumerate AWS credentials for their permissions. Usage: cliam aws [command] Available Commands: common Enumerate permissions for common AWS resources. compute Enumerate permissions for common compute AWS resources. databases Enumerate permissions for common AWS database resources. enumerate Enumerate permissions for specified AWS resources. serverless Enumerate permissions for common serverless AWS resources. storage Enumerate permissions for common storage AWS resources. Flags: --access-key-id string AWS Access Key ID -h, --help help for aws --profile string AWS Profile. When profile is set, access-key-id, secret-access-key, and session-token are ignored. --region string AWS Region (default "us-east-1") --secret-access-key string AWS Secret Access Key --session-token string AWS Session Token Global Flags: --max-threads int Maximum number of threads to use. (default 5) --request-timeout int Timeout for each request in seconds. (default 10)