A consolidated series of structured data for cloud identity and access management systems, including datasets for AWS, Azure, and Google Cloud.
It is currently being used to support:
- iamlive
- iamfast
- aws.permissions.cloud
- azure.permissions.cloud
- gcp.permissions.cloud
- claws
- LocalStack
- Access Undenied
Tooling which assists in the generation of some datasources is located in the util/
directory.
For Amazon Web Services IAM, the primary datasources are map.json and iam_definition.json.
In order to assist with the creation of the map.json file, a custom mapping tool may be used to accelerate the process. The mapping tool is currently hosted at: https://iann0036.github.io/iam-dataset/util/index.html#
A comprehensive mapping from SDK calls to IAM actions, typically created with the assistance of the mapping tool.
${PropertyName}
- Variable substitution for the PropertyName
property
.
- A property within an object/map
[]
- For each value within the array
%%urlencode%${PropertyName}%%
- Performs a URL-encoding on the PropertyName
property
%%many%${PropertyName}%${PropertyName2}%${PropertyName3}%%
- For each of the PropertyName
, PropertyName2
& PropertyName3
properties (any length)
%%iftemplatematch%${ArnProperty}%%
- Only valid if the template matches the resource type's template
%%iftruthy%${PropertyName}%ValueIfTrue%ValueIfFalse%%
- Truthy test
%%regex%${PropertyName}%/(.+)/g%%
- Returns first capture group of Regex
A scraping of the AWS Service Authorization Reference, the AWS-provided reference of known IAM actions. It is generated using work from Parliament.
The file does have some post-crawl patching actions.
The details of all AWS Managed Policies, including flags for whether the managed policy contains high sensitivity actions.
For Azure, the primary datasource is built-in-roles.json.
The direct output of the command az provider operation list
which retrieves all operations from all providers.
The output of the command az role definition list
with a query for all built-in roles.
The aggregation of thr built-in roles and provider operations permitted by those built-in roles.
For Google Cloud, the primary datasources are methods.json, permissions.json and role_permissions.json.
The result of the command gcloud iam roles list
, including deleted roles, showing all predefined roles.
A map of IAM permissions required for each method. [WORK IN PROGRESS]
The combination of the methods extracted from the Google Cloud Go SDK.
Same as methods.json, but with parameter information.
IAM Permissions as defined by the online IAM permissions reference.
A mapping of each permission and the roles which the permission has, including whether the containment is undocumented per the IAM permission reference.
The result of the command gcloud iam roles describe "$name"
for all built-in roles.