├── requirements.txt ├── config_dir ├── creds.json ├── config.json ├── rolelist.txt └── userlist.txt ├── Dockerfile ├── LICENSE ├── AWS_Policy.json ├── aws_svc ├── aws_service_base.py ├── iam_handler.py ├── sqs_handler.py ├── s3_handler.py └── kms_handler.py ├── account_handler.py ├── multi_accounts_handler.py ├── iamfinder.py └── README.md /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | boto3 -------------------------------------------------------------------------------- /config_dir/creds.json: -------------------------------------------------------------------------------- 1 | { 2 | "account1": { 3 | "Region": "us-west-1", 4 | "Active": true, 5 | "AccessKeyId": "", 6 | "SecretAccessKey": "" 7 | }, 8 | "account2": { 9 | "Region": "us-east-1", 10 | "Active": false, 11 | "AccessKeyId": "", 12 | "SecretAccessKey": "" 13 | }, 14 | "account3": { 15 | "Region": "us-east-2", 16 | "Active": false, 17 | "AccessKeyId": "", 18 | "SecretAccessKey": "", 19 | "SessionToken": "" 20 | } 21 | } -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:slim 2 | 3 | LABEL maintainer="Jay Chen " 4 | 5 | RUN useradd --create-home --shell /bin/bash iamuser 6 | 7 | ENV PATH="/home/iamuser/.local/bin:${PATH}" 8 | 9 | USER iamuser 10 | 11 | WORKDIR /home/iamuser 12 | 13 | COPY *.py *.txt *. *.md LICENSE ./ 14 | 15 | COPY ./aws_svc/*.py ./aws_svc/ 16 | 17 | COPY ./config_dir/*.txt ./config_dir/config.json ./config_dir/ 18 | 19 | VOLUME [ "/home/iamuser/config_dir/" ] 20 | 21 | RUN pip3 install -r requirements.txt 22 | 23 | ENTRYPOINT [ "python3", "iamfinder.py" ] 24 | 25 | CMD ["-h"] -------------------------------------------------------------------------------- /config_dir/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "CREDS_PATH": "./config_dir/creds.json", 3 | "ROLENAMES_FILE_PATH": "./config_dir/rolelist.txt", 4 | "USERNAMES_FILE_PATH": "./config_dir/userlist.txt", 5 | "SERVICES_CONFIG":{ 6 | "s3":{ 7 | "enabled": true, 8 | "resource_type":"s3", 9 | "resource_prefix":"iamcheckers3", 10 | "resource_count":3 11 | }, 12 | "kms":{ 13 | "enabled": true, 14 | "resource_type":"kms", 15 | "resource_prefix":"iamcheckerkms", 16 | "resource_count":3 17 | }, 18 | "sqs":{ 19 | "enabled": true, 20 | "resource_type":"sqs", 21 | "resource_prefix":"iamcheckersqs", 22 | "resource_count":2 23 | }, 24 | "iam":{ 25 | "enabled": true, 26 | "resource_type":"iam", 27 | "resource_prefix":"iamcheckeriam", 28 | "resource_count":2 29 | } 30 | } 31 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Palo Alto Networks 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /AWS_Policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "VisualEditor0", 6 | "Effect": "Allow", 7 | "Action": [ 8 | "iam:UpdateAssumeRolePolicy", 9 | "sqs:ListQueues", 10 | "s3:PutBucketPublicAccessBlock", 11 | "kms:PutKeyPolicy", 12 | "kms:GetKeyPolicy", 13 | "iam:ListRoles", 14 | "iam:CreateRole", 15 | "iam:DeleteRole", 16 | "s3:CreateBucket", 17 | "kms:DisableKey", 18 | "kms:ListKeys", 19 | "sts:AssumeRole", 20 | "s3:ListAllMyBuckets", 21 | "kms:ScheduleKeyDeletion", 22 | "kms:ListAliases", 23 | "kms:CreateAlias", 24 | "sqs:DeleteQueue", 25 | "s3:PutBucketPolicy", 26 | "kms:CreateKey", 27 | "sts:GetCallerIdentity", 28 | "sqs:CreateQueue", 29 | "s3:GetBucketLocation", 30 | "s3:DeleteBucket", 31 | "sqs:SetQueueAttributes" 32 | ], 33 | "Resource": "*" 34 | } 35 | ] 36 | } -------------------------------------------------------------------------------- /aws_svc/aws_service_base.py: -------------------------------------------------------------------------------- 1 | from abc import ABC, abstractmethod 2 | import threading 3 | import boto3 4 | import botocore 5 | import sys 6 | import logging 7 | import logging.config 8 | from enum import Enum 9 | from itertools import cycle 10 | from botocore.config import Config 11 | from botocore.endpoint import MAX_POOL_CONNECTIONS 12 | from collections.abc import Iterable 13 | 14 | class AWS_SVC_BASE(ABC): 15 | ''' Represent an AWS service that contain multiple resources(workers) ''' 16 | aws_config = Config( 17 | retries=dict( 18 | total_max_attempts=25, 19 | mode='adaptive' 20 | ), 21 | max_pool_connections=MAX_POOL_CONNECTIONS, 22 | ) 23 | 24 | def __init__(self, svc_type, session, svc_config): 25 | if not isinstance(session, boto3.Session): 26 | logging.error('session must be of type boto3.Session') 27 | raise(ValueError) 28 | if not isinstance(svc_type, AWS_SVC_TYPE): 29 | logging.error('svc_type must be of type AWS_SVC_TYPE') 30 | raise(ValueError) 31 | if not isinstance(svc_config, dict): 32 | logging.error('svc_config must be of type AWS_SVC_TYPE') 33 | raise(ValueError) 34 | self.session = session 35 | self.account_id = 0 36 | self.service_type = svc_type 37 | self.svc_config = svc_config 38 | self.rsc_prefix = svc_config['resource_prefix'] 39 | self._key_lock = threading.Lock() 40 | self.worker_cycle = cycle(list()) 41 | super().__init__() 42 | 43 | @abstractmethod 44 | def get_existing_workers(self): 45 | ''' Query the existing workers based on the rsc_prefix ''' 46 | # pass 47 | 48 | @abstractmethod 49 | def create_workers(self): 50 | ''' Create workers/resources of this service ''' 51 | # pass 52 | 53 | @abstractmethod 54 | def delete_workers(self): 55 | ''' Delete the workers created by create_workers() function ''' 56 | # pass 57 | 58 | @abstractmethod 59 | def _check_existing_identity(self, identiy_arn): 60 | ''' Check if identiy_arn exists in AWS ''' 61 | # pass 62 | 63 | def check_existing_user(self, aws_id, target_user, aws_partition = 'aws'): 64 | ''' Check if the target_user exists in AWS account aws_id ''' 65 | user_arn = 'arn:{}:iam::{}:user/{}'.format(aws_partition, aws_id, target_user) 66 | return self._check_existing_identity(user_arn) 67 | 68 | def check_existing_role(self, aws_id, target_role, aws_partition = 'aws'): 69 | ''' Check if the target_role exists in AWS account aws_id ''' 70 | role_arn = 'arn:{}:iam::{}:role/{}'.format(aws_partition, aws_id, target_role) 71 | return self._check_existing_identity(role_arn) 72 | 73 | 74 | def precheck(self): 75 | ''' Check if there is at least one resrouce to perform the test ''' 76 | # If no object is in the cycle, the default value None will be returned 77 | if next(self.worker_cycle, None) is None: 78 | return False 79 | return True 80 | 81 | def _get_next_worker(self): 82 | with self._key_lock: 83 | try: 84 | return next(self.worker_cycle) 85 | except StopIteration: 86 | logging.error('Empty worker cycle') 87 | return None 88 | 89 | def _set_worker_cycle(self, iterable_obj): 90 | if not isinstance(iterable_obj, Iterable): 91 | logging.error('set_worker_cycle function expects an Iterable input') 92 | return 93 | self.worker_cycle = cycle(iterable_obj) 94 | 95 | def _check_boto3_response(self, resp): 96 | return 'ResponseMetadata' in resp and resp['ResponseMetadata']['HTTPStatusCode'] >= 200 and resp['ResponseMetadata']['HTTPStatusCode'] < 300 97 | 98 | def _enable_logging(self): 99 | logging.config.dictConfig({ 100 | 'version': 1, 101 | 'disable_existing_loggers': True, 102 | }) 103 | logging.basicConfig(level=logging.DEBUG, format='%(module)s: %(message)s') 104 | 105 | class AWS_SVC_TYPE(Enum): 106 | IAM = 'iam' 107 | S3 = 's3' 108 | KMS = 'kms' 109 | SQS = 'sqs' 110 | -------------------------------------------------------------------------------- /aws_svc/iam_handler.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import botocore 3 | import sys, os 4 | import random, string 5 | import logging 6 | from aws_svc.aws_service_base import AWS_SVC_BASE, AWS_SVC_TYPE 7 | 8 | class IAMHandler(AWS_SVC_BASE): 9 | def __init__(self, boto3_session, iam_config): 10 | super().__init__(AWS_SVC_TYPE.IAM, boto3_session, iam_config) 11 | self.iam_client = boto3_session.client('iam', config=AWS_SVC_BASE.aws_config) 12 | self.created_roles = list() 13 | self.role_path = '{}{}{}'.format('/', self.rsc_prefix, '/') 14 | self.get_existing_workers() 15 | self._set_worker_cycle(self.created_roles) 16 | 17 | def get_existing_workers(self): 18 | try: 19 | key_count = self.svc_config['resource_count'] 20 | resp = self.iam_client.list_roles(PathPrefix=self.role_path, MaxItems=1000) # result may be truncated 21 | if not self._check_boto3_response(resp): 22 | return 23 | for role in resp['Roles']: 24 | role_name = role['RoleName'] 25 | self.created_roles.append(role_name) 26 | key_count -= 1 27 | if key_count <= 0: 28 | break 29 | return self.created_roles 30 | except botocore.exceptions.ClientError as error: 31 | logging.error('Fail to list rolefinder roles. {}'.format(error)) 32 | 33 | 34 | def create_workers(self): 35 | ''' Create multiple IAM Roles ''' 36 | trust_policy = '''{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}''' 37 | role_count = self.svc_config['resource_count'] 38 | if len(self.created_roles) >= role_count: 39 | # Don't need to create more roles 40 | logging.info('No need to create more resources for IAM') 41 | return self.created_roles 42 | else: 43 | needed = role_count - len(self.created_roles) 44 | 45 | for _ in range(0, needed, 1): 46 | rnd_str = ''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=12)) 47 | try: 48 | resp = self.iam_client.create_role(RoleName=rnd_str, Path=self.role_path, AssumeRolePolicyDocument = trust_policy) 49 | if not self._check_boto3_response(resp): 50 | continue 51 | 52 | role_name = resp['Role']['RoleName'] 53 | self.created_roles.append(role_name) 54 | logging.info('Role {} has been successfully created'.format(role_name)) 55 | except botocore.exceptions.ClientError as error: 56 | logging.error('Fail to create IAM role. {}'.format(error)) 57 | 58 | self._set_worker_cycle(self.created_roles) 59 | return self.created_roles 60 | 61 | def delete_workers(self): 62 | for role_name in self.created_roles: 63 | try: 64 | self.iam_client.delete_role( 65 | RoleName=role_name 66 | ) 67 | logging.info('Role {} has been successfully deleted'.format(role_name)) 68 | except botocore.exceptions.ClientError as error: 69 | logging.error('Fail to delete role {}. {}'.format(role_name, error)) 70 | self.created_roles = list() 71 | self._set_worker_cycle(self.created_roles) 72 | 73 | def _check_existing_identity(self, identiy_arn): 74 | # check if the identiy_arn exists 75 | test_role = self._get_next_worker() 76 | if test_role is None: 77 | logging.error('No available worker/resource in IAM handler') 78 | return None 79 | 80 | trust_policy = '{{"Version":"2012-10-17","Statement":[{{"Effect":"Deny","Principal":{{"AWS":"{}"}},"Action":"sts:AssumeRole"}}]}}'.format(identiy_arn) 81 | try: 82 | resp = self.iam_client.update_assume_role_policy( 83 | RoleName=test_role, 84 | PolicyDocument=trust_policy 85 | ) 86 | if self._check_boto3_response(resp): 87 | return True 88 | except self.iam_client.exceptions.MalformedPolicyDocumentException as e: 89 | # Role does not exist 90 | if e.response['Error']['Code'] == 'MalformedPolicyDocument' and 'Invalid principal' in e.response['Error']['Message']: 91 | logging.debug('Invalid principal identified using role {}!'.format(test_role)) 92 | return False 93 | except botocore.exceptions.ClientError as e: 94 | logging.debug(e) 95 | return False 96 | 97 | -------------------------------------------------------------------------------- /aws_svc/sqs_handler.py: -------------------------------------------------------------------------------- 1 | import sys, os 2 | # sys.path.insert(1, os.path.join(sys.path[0], '..')) 3 | from aws_svc.aws_service_base import AWS_SVC_BASE, AWS_SVC_TYPE 4 | import boto3 5 | import botocore 6 | import random 7 | import json 8 | import string 9 | import logging 10 | from itertools import cycle 11 | 12 | 13 | class SQSHandler(AWS_SVC_BASE): 14 | def __init__(self, boto3_session, sqs_config): 15 | super().__init__(AWS_SVC_TYPE.SQS, boto3_session, sqs_config) 16 | self.sqs_client = boto3_session.client('sqs', config=AWS_SVC_BASE.aws_config) 17 | self.created_queue = list() 18 | self.get_existing_workers() 19 | self._set_worker_cycle(self.created_queue) 20 | 21 | def get_existing_workers(self): 22 | q_count = self.svc_config['resource_count'] 23 | try: 24 | resp = self.sqs_client.list_queues( 25 | QueueNamePrefix = self.rsc_prefix, 26 | MaxResults=1000 27 | ) 28 | if not (self._check_boto3_response(resp) and 'QueueUrls' in resp): 29 | return 30 | 31 | for q_url in resp['QueueUrls']: 32 | self.created_queue.append(q_url) 33 | q_count -= 1 34 | if q_count <= 0: 35 | break 36 | except botocore.exceptions.ClientError as error: 37 | logging.error('Fail to list queues. {}'.format(error)) 38 | return 39 | 40 | return self.created_queue 41 | 42 | def create_workers(self): 43 | ''' Create multiple SQS queues. Return a dictionary of queues ''' 44 | q_count = self.svc_config['resource_count'] 45 | if len(self.created_queue) >= q_count: 46 | # Don't need to create more buckets 47 | logging.info('No need to create more resources for SQS') 48 | return self.created_queue 49 | else: 50 | needed = q_count - len(self.created_queue) 51 | 52 | for _ in range(0, needed, 1): 53 | qName = '{}-{}'.format(self.rsc_prefix, ''.join(random.choices(string.ascii_lowercase + string.digits, k=20))) 54 | try: 55 | resp = self.sqs_client.create_queue( 56 | QueueName=qName 57 | ) 58 | if not self._check_boto3_response(resp): 59 | continue 60 | self.created_queue.append(resp['QueueUrl']) 61 | logging.info('Queue {} has been successfully created'.format(qName)) 62 | except (self.sqs_client.exceptions.QueueDeletedRecently, self.sqs_client.exceptions.QueueNameExists) as e: 63 | logging.error('Fail to create queue. {}'.format(e)) 64 | 65 | 66 | def delete_workers(self): 67 | for q_url in self.created_queue: 68 | try: 69 | resp = self.sqs_client.delete_queue( 70 | QueueUrl=q_url 71 | ) 72 | if not self._check_boto3_response(resp): 73 | logging.error('Fail to delete queue {}'.format(q_url)) 74 | continue 75 | logging.info('Queue {} has been successfully deleted'.format(q_url)) 76 | except botocore.exceptions.ClientError as error: 77 | logging.error('Fail to delete queue {}. {}'.format(q_url, error)) 78 | self.created_queue = list() 79 | self._set_worker_cycle(self.created_queue) 80 | 81 | def _check_existing_identity(self, identiy_arn): 82 | ''' Check if identiy_arn exists in AWS ''' 83 | test_policy_obj = '{{"Version":"2012-10-17","Statement":[{{"Effect":"Deny","Principal":{{"AWS":"{}"}},"Action":"SQS:*","Resource":"*"}}]}}'.format(identiy_arn) 84 | 85 | q_url = self._get_next_worker() 86 | if q_url is None: 87 | logging.error('No available worker/resource in sqs_handler') 88 | return 89 | 90 | q_name = q_url.split('/')[-1] 91 | try: 92 | resp = self.sqs_client.set_queue_attributes( 93 | QueueUrl=q_url, 94 | Attributes={ 95 | 'Policy': test_policy_obj 96 | } 97 | ) 98 | if self._check_boto3_response(resp): 99 | return True 100 | except botocore.exceptions.ClientError as e: 101 | if e.response['Error']['Code'] == 'InvalidAttributeValue': 102 | logging.debug('Invalid principal identified using queue {}!'.format(q_name)) 103 | return False 104 | 105 | -------------------------------------------------------------------------------- /account_handler.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import boto3 3 | import botocore 4 | import random, string 5 | import logging 6 | from itertools import cycle 7 | from aws_svc.iam_handler import IAMHandler 8 | from aws_svc.s3_handler import S3Handler 9 | from aws_svc.kms_handler import KMSHandler 10 | from aws_svc.sqs_handler import SQSHandler 11 | from aws_svc.aws_service_base import AWS_SVC_TYPE 12 | 13 | class ACCOUNTHandler: 14 | ''' An AWS account that manages multiple services ''' 15 | def __init__(self, boto3_session, account_name, services_config_dict): 16 | self.boto3_session = boto3_session 17 | self.account_name = account_name 18 | self.services_config = services_config_dict 19 | self.svc_list = list() 20 | self.add_svc_handlers() 21 | self.svc_cycle = cycle(self.svc_list) 22 | 23 | def _get_next_service(self): 24 | try: 25 | return next(self.svc_cycle) 26 | except StopIteration: 27 | logging.error('Empty resource cycle') 28 | return None 29 | 30 | def add_svc_handlers(self): 31 | ''' Create multiple service_handlers and add to the account ''' 32 | # Need some delay beofre the created resources can be used 33 | for svc_name, svc_config in self.services_config.items(): 34 | if 'enabled' in svc_config and not svc_config['enabled']: 35 | continue 36 | if svc_name == AWS_SVC_TYPE.IAM.value: 37 | self.svc_list.append(IAMHandler(self.boto3_session, svc_config)) 38 | elif svc_name == AWS_SVC_TYPE.S3.value: 39 | self.svc_list.append(S3Handler(self.boto3_session, svc_config)) 40 | elif svc_name == AWS_SVC_TYPE.KMS.value: 41 | self.svc_list.append(KMSHandler(self.boto3_session, svc_config)) 42 | elif svc_name == AWS_SVC_TYPE.SQS.value: 43 | self.svc_list.append(SQSHandler(self.boto3_session, svc_config)) 44 | 45 | 46 | def create_resources(self): 47 | ''' Create rsc_count number of workers for each service ''' 48 | for svc_obj in self.svc_list: 49 | svc_obj.create_workers() 50 | 51 | def delete_resources(self): 52 | ''' Delete the resources created by create_resources() function ''' 53 | for svc_obj in self.svc_list: 54 | svc_obj.delete_workers() 55 | self.svc_list = list() 56 | self.svc_cycle = cycle(self.svc_list) 57 | 58 | def check_existing_role(self, aws_id, target_role, aws_partition = 'aws'): 59 | ''' Check if the target_role exists in AWS account aws_id ''' 60 | return self._get_next_service().check_existing_role(aws_id, target_role, aws_partition=aws_partition) 61 | 62 | def check_existing_user(self, aws_id, target_user, aws_partition = 'aws'): 63 | ''' Check if the target_user exists in AWS account aws_id ''' 64 | return self._get_next_service().check_existing_user(aws_id, target_user, aws_partition=aws_partition) 65 | 66 | def check_assumable_role(self, aws_id, role, aws_partition = 'aws'): 67 | sts_client = self.boto3_session.client('sts') 68 | role_arn = 'arn:{}:iam::{}:role/{}'.format(aws_partition, aws_id, role) 69 | try: 70 | resp = sts_client.assume_role( 71 | RoleArn=role_arn, 72 | RoleSessionName=''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=18)), 73 | DurationSeconds=3600 # 60 mins 74 | ) 75 | if 'Credentials' in resp: 76 | return resp 77 | except botocore.exceptions.ClientError as e: 78 | logging.debug('Error when attempting to assume role. {}'.format(e)) 79 | 80 | def precheck(self): 81 | ''' Check if there is at least one available resrouce to perform the test on the target account''' 82 | if len(self.svc_list) < 1: 83 | logging.error('There is no available service in account {}'.format(self.account_name)) 84 | return False 85 | 86 | is_available = False 87 | empty_svc = list() # Store the service_handler to be removed 88 | for svc_obj in self.svc_list: 89 | if svc_obj.precheck(): 90 | is_available = True 91 | else: 92 | logging.warning('Service {} in account {} has no available resource to perform test'.format(svc_obj.service_type.value, self.account_name)) 93 | # Remove it from the list 94 | empty_svc.append(svc_obj) 95 | if empty_svc: 96 | for svc_obj in empty_svc: 97 | self.svc_list.remove(svc_obj) 98 | self.svc_cycle = cycle(self.svc_list) 99 | return is_available 100 | -------------------------------------------------------------------------------- /aws_svc/s3_handler.py: -------------------------------------------------------------------------------- 1 | from aws_svc.aws_service_base import AWS_SVC_BASE, AWS_SVC_TYPE 2 | import boto3 3 | import botocore 4 | import random 5 | import json 6 | import string 7 | import sys, os 8 | import logging 9 | from itertools import cycle 10 | 11 | class S3Handler(AWS_SVC_BASE): 12 | 13 | def __init__(self, boto3_session, s3_config): 14 | super().__init__(AWS_SVC_TYPE.S3, boto3_session, s3_config) 15 | self.s3_client = boto3_session.client('s3', config=AWS_SVC_BASE.aws_config) 16 | self.created_bkt = list() 17 | self.get_existing_workers() 18 | self._set_worker_cycle(self.created_bkt) 19 | 20 | def get_existing_workers(self): 21 | try: 22 | resp = self.s3_client.list_buckets() 23 | if not self._check_boto3_response(resp): 24 | logging.error('Fail to list existing S3 buckets.') 25 | return 26 | except botocore.exceptions.ClientError as error: 27 | logging.error('Fail to list buckets. {}'.format(error)) 28 | return 29 | 30 | key_count = self.svc_config['resource_count'] 31 | for bkt in resp['Buckets']: 32 | bkt_name = bkt['Name'] 33 | if not bkt_name.startswith(self.rsc_prefix): 34 | continue 35 | # Find bucket region 36 | try: 37 | resp2 = self.s3_client.get_bucket_location( 38 | Bucket = bkt_name 39 | ) 40 | if not self._check_boto3_response(resp2): 41 | continue 42 | region = resp2['LocationConstraint'] 43 | self.created_bkt.append({'BucketName': bkt_name, 'Region':region}) 44 | key_count -= 1 45 | if key_count <= 0: 46 | break 47 | except botocore.exceptions.ClientError as error: 48 | logging.error('Fail to get bucket location.') 49 | continue 50 | return self.created_bkt 51 | 52 | def create_workers(self): 53 | ''' Create multiple S3 buckets. Return a dictionary of bucketName and its region ''' 54 | bkt_count = self.svc_config['resource_count'] 55 | if len(self.created_bkt) >= bkt_count: 56 | # Don't need to create more buckets 57 | logging.info('No need to create more resources for S3') 58 | return self.created_bkt 59 | else: 60 | needed = bkt_count - len(self.created_bkt) 61 | 62 | for _ in range(0, needed, 1): 63 | reg = self.session.region_name 64 | bucketName = '{}-{}'.format(self.rsc_prefix, ''.join(random.choices(string.ascii_lowercase + string.digits, k=20))) 65 | # AWS-CN needs additional permissions for this function call to work .... 66 | if reg != 'us-east-1': 67 | resp = self.s3_client.create_bucket(Bucket=bucketName, ACL='private', 68 | CreateBucketConfiguration={'LocationConstraint': reg}, 69 | ObjectLockEnabledForBucket=True) 70 | else: 71 | resp = self.s3_client.create_bucket(Bucket=bucketName, ACL='private', 72 | ObjectLockEnabledForBucket=True) 73 | 74 | if not self._check_boto3_response(resp): 75 | continue 76 | 77 | # Block any access to the bucket 78 | self.s3_client.put_public_access_block( 79 | Bucket=bucketName, 80 | PublicAccessBlockConfiguration={ 81 | 'BlockPublicAcls': True, 82 | 'IgnorePublicAcls': True, 83 | 'BlockPublicPolicy': True, 84 | 'RestrictPublicBuckets': True 85 | } 86 | ) 87 | self.created_bkt.append({'BucketName': bucketName, 'Region':reg}) 88 | 89 | logging.info('S3 bucket {} has been successfully created in region {}'.format(bucketName, reg)) 90 | self._set_worker_cycle(self.created_bkt) 91 | return self.created_bkt 92 | 93 | def delete_workers(self): 94 | for bkt in self.created_bkt: 95 | bucketName = bkt['BucketName'] 96 | reg = bkt['Region'] 97 | resp = self.s3_client.delete_bucket( 98 | Bucket=bucketName, 99 | ) 100 | if self._check_boto3_response(resp): 101 | logging.info('S3 bucket {} has been successfully deleted in region {}'.format(bucketName, reg)) 102 | else: 103 | logging.info('Fail to delete S3 bucket {} in region {}'.format(bucketName, reg)) 104 | self.created_bkt = list() 105 | self._set_worker_cycle(self.created_bkt) 106 | 107 | def _check_existing_identity(self, identiy_arn): 108 | ''' Check if identiy_arn exists in AWS ''' 109 | s3_policy = '{{"Version":"2012-10-17","Statement":[{{"Sid":"iamcheck","Effect":"Deny","Principal":{{"AWS":"{}"}},"Action":["s3:*"],"Resource":["{}"]}}]}}' 110 | bucketName = self._get_next_worker()['BucketName'] 111 | if bucketName is None: 112 | logging.error('No available worker/resource in s3_handler') 113 | return 114 | 115 | # role_arn = 'arn:{}:iam::{}:role/{}'.format(aws_partition, aws_id, target_role) 116 | aws_partition = identiy_arn.split(':')[1] 117 | root_path = 'arn:{}:s3:::{}/*'.format(aws_partition, bucketName) 118 | 119 | try: 120 | resp = self.s3_client.put_bucket_policy( 121 | Bucket=bucketName, 122 | ConfirmRemoveSelfBucketAccess=True, 123 | # Policy=json.dumps(policy_obj) 124 | Policy=s3_policy.format(identiy_arn, root_path) 125 | ) 126 | if self._check_boto3_response(resp): 127 | return True 128 | except botocore.exceptions.ClientError as e: 129 | if e.response['Error']['Code'] == 'MalformedPolicy' and 'Invalid principal' in e.response['Error']['Message']: 130 | logging.debug('Invalid principal identified using bucket {}!'.format(bucketName)) 131 | return False 132 | except botocore.exceptions.ClientError as e: 133 | logging.error(e) 134 | return None 135 | 136 | -------------------------------------------------------------------------------- /aws_svc/kms_handler.py: -------------------------------------------------------------------------------- 1 | from aws_svc.aws_service_base import AWS_SVC_BASE, AWS_SVC_TYPE 2 | import boto3 3 | import botocore 4 | import sys, os 5 | import random, string 6 | import json 7 | import logging 8 | 9 | class KMSHandler(AWS_SVC_BASE): 10 | 11 | def __init__(self, boto3_session, kms_config): 12 | super().__init__(AWS_SVC_TYPE.KMS, boto3_session, kms_config) 13 | self.kms_client = boto3_session.client('kms', config=AWS_SVC_BASE.aws_config) 14 | self.created_keys = list() 15 | self.get_existing_workers() 16 | self._set_worker_cycle(self.created_keys) 17 | 18 | 19 | def get_existing_workers(self): 20 | try: 21 | resp = self.kms_client.list_keys(Limit=1000) # result may be truncated 22 | if not self._check_boto3_response(resp): 23 | return 24 | except botocore.exceptions.ClientError as error: 25 | logging.error('Fail to list KMS keys. {}'.format(error)) 26 | return 27 | 28 | key_count = self.svc_config['resource_count'] 29 | for key_obj in resp['Keys']: 30 | key_id = key_obj['KeyId'] # {KeyId:"", KeyArn:""} 31 | 32 | # Check key alias 33 | try: 34 | resp2 = self.kms_client.list_aliases(KeyId=key_id) 35 | if not self._check_boto3_response(resp2): 36 | continue 37 | if len(resp2['Aliases']) != 1: 38 | continue 39 | except botocore.exceptions.ClientError as error: 40 | logging.error('Fail to list key alias. {}'.format(error)) 41 | continue 42 | 43 | for alias_obj in resp2['Aliases']: 44 | alias_name = alias_obj['AliasName'] 45 | if alias_name.startswith('alias/{}-'.format(self.rsc_prefix)): 46 | self.created_keys.append(key_obj) 47 | key_count -= 1 48 | break 49 | # Don't use more keys than the resource count specified in the config file 50 | if key_count <= 0: 51 | break 52 | 53 | # Get key policies 54 | for key_obj in self.created_keys: 55 | resp3 = self.kms_client.get_key_policy( 56 | KeyId=key_obj['KeyId'], 57 | # The name of the key policy to retrieve. 58 | PolicyName='default', 59 | ) 60 | if not self._check_boto3_response(resp3): 61 | continue 62 | key_obj['Policy'] = resp3['Policy'] 63 | 64 | return self.created_keys 65 | 66 | 67 | def create_workers(self): 68 | ''' Create multiple IAM Roles ''' 69 | key_count = self.svc_config['resource_count'] 70 | if len(self.created_keys) >= key_count: 71 | # Don't need to create more keys 72 | logging.info('No need to create more resources for KMS') 73 | return self.created_keys 74 | else: 75 | needed = key_count - len(self.created_keys) 76 | 77 | for _ in range(0, needed, 1): 78 | rnd_str = ''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=10)) 79 | try: 80 | resp = self.kms_client.create_key( 81 | Description='{}_test_key'.format(self.rsc_prefix), 82 | KeyUsage='ENCRYPT_DECRYPT' 83 | ) 84 | if not self._check_boto3_response(resp): 85 | logging.error('Fail to create a test KMS key') 86 | continue 87 | key_id = resp['KeyMetadata']['KeyId'] 88 | key_arn = resp['KeyMetadata']['Arn'] 89 | 90 | # Create a key alias 91 | alias_name = 'alias/{}-{}'.format(self.rsc_prefix, rnd_str) 92 | resp2 = self.kms_client.create_alias( 93 | AliasName = alias_name, 94 | TargetKeyId = key_id 95 | ) 96 | if not self._check_boto3_response(resp2): 97 | logging.error('Fail to create a test KMS key alias') 98 | continue 99 | 100 | # Disable this 101 | self.kms_client.disable_key( 102 | KeyId=key_id, 103 | ) 104 | 105 | self.created_keys.append({"KeyId":key_id, "KeyArn":key_arn}) 106 | logging.info('Key alias {} has been successfully created'.format(alias_name)) 107 | except botocore.exceptions.ClientError as error: 108 | logging.error('Fail to create KMS key. {}'.format(error)) 109 | 110 | self._set_worker_cycle(self.created_keys) 111 | return self.created_keys 112 | 113 | def delete_workers(self): 114 | for key_obj in self.created_keys: 115 | key_id = key_obj['KeyId'] 116 | try: 117 | resp = self.kms_client.schedule_key_deletion( 118 | KeyId=key_id, 119 | PendingWindowInDays=7 120 | ) 121 | if not self._check_boto3_response(resp): 122 | continue 123 | logging.info('Key {} is scheduled to be deleted on {}'.format(key_id, resp['DeletionDate'])) 124 | except botocore.exceptions.ClientError as error: 125 | logging.error('Fail to delete kms key {}. {}'.format(key_id, error)) 126 | self.created_keys = list() 127 | self._set_worker_cycle(self.created_keys) 128 | 129 | 130 | def _check_existing_identity(self, identiy_arn): 131 | ''' Check if identiy_arn exists in AWS ''' 132 | test_policy_obj = '''{"Sid":"roleFinder","Effect":"Deny","Principal":{},"Action":"kms:*","Resource":"*"}''' 133 | test_policy_obj = json.loads(test_policy_obj) 134 | # role_arn = 'arn:{}:iam::{}:role/{}'.format(aws_partition, aws_id, target_role) 135 | 136 | key_obj = self._get_next_worker() 137 | if key_obj is None: 138 | logging.error('No available worker/resource in kms_handler') 139 | return 140 | policy_obj = json.loads(key_obj['Policy']) 141 | test_policy_obj['Principal']['AWS'] = identiy_arn 142 | 143 | if len(policy_obj['Statement']) == 1: 144 | policy_obj['Statement'].append(test_policy_obj) 145 | else: 146 | policy_obj['Statement'][1] = test_policy_obj 147 | 148 | try: 149 | resp = self.kms_client.put_key_policy( 150 | KeyId=key_obj['KeyId'], 151 | Policy=json.dumps(policy_obj), 152 | PolicyName='default' 153 | ) 154 | if self._check_boto3_response(resp): 155 | return True 156 | except self.kms_client.exceptions.MalformedPolicyDocumentException as e: 157 | if e.response['Error']['Code'] == 'MalformedPolicyDocumentException' and 'invalid principals' in e.response['Error']['Message']: 158 | logging.debug('Invalid principal identified using kms key {}!'.format(key_obj['KeyId'])) 159 | return False 160 | except botocore.exceptions.ClientError as e: 161 | logging.error(e) 162 | return None 163 | -------------------------------------------------------------------------------- /multi_accounts_handler.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import json 4 | import boto3 5 | import botocore 6 | import multiprocessing 7 | import logging 8 | import logging.config 9 | from itertools import cycle 10 | 11 | from multiprocessing.pool import ThreadPool 12 | from account_handler import ACCOUNTHandler 13 | 14 | class MultiAccountsHandler: 15 | ''' Manage multiple AWS accounts (account_handler) ''' 16 | def __init__(self, acc_config): 17 | self.acc_list = list() 18 | self.acc_config = acc_config 19 | self._load_creds(acc_config['CREDS_PATH']) 20 | self.acc_cycle = cycle(self.acc_list) 21 | 22 | def _load_creds(self, creds_path): 23 | ''' Read AWS credentials from a json file and create an AWS account ''' 24 | if not (os.path.exists(creds_path) and os.path.isfile(creds_path)): 25 | sys.exit('Credential file does not exist. Please add a credential file to {}'.format(creds_path)) 26 | with open(creds_path, newline='', encoding='utf-8') as fhand: 27 | try: 28 | accounts_dict = json.load(fhand) 29 | acc_nums = dict() # used to track keys in the same AWS account 30 | for key_name, cred_data in accounts_dict.items(): 31 | if 'Active' in cred_data and not cred_data['Active']: 32 | continue 33 | if 'SessionToken' in cred_data: 34 | sessionTkn = cred_data['SessionToken'] 35 | else: 36 | sessionTkn = None 37 | 38 | session = boto3.Session( 39 | aws_access_key_id=cred_data['AccessKeyId'], 40 | aws_secret_access_key=cred_data['SecretAccessKey'], 41 | aws_session_token=sessionTkn, 42 | region_name=cred_data['Region']) 43 | 44 | # Validate the keys 45 | resp = self._verify_access_token(session) 46 | if resp is None: 47 | logging.error('The access key of {} is invalid. Skiped ...'.format(key_name)) 48 | continue 49 | if resp['Account'] in acc_nums: 50 | logging.error('Key {} and key {} belong to the same account (awsID: {}). Only the first key will be used.'.format( 51 | acc_nums[resp['Account']], key_name, resp['Account'])) 52 | continue 53 | 54 | acc_nums[resp['Account']] = key_name 55 | aws_acc = ACCOUNTHandler(session, key_name, self.acc_config['SERVICES_CONFIG']) 56 | self.acc_list.append(aws_acc) 57 | except json.decoder.JSONDecodeError as e: 58 | sys.exit('Fail to load credential file. Please check the credential file at {}.\n{} '.format(creds_path, e)) 59 | except ValueError: 60 | sys.exit('There is no active aws credential. Please check the credential file at {}'.format(creds_path)) 61 | 62 | def _verify_access_token(self, session): 63 | ''' Verfy if the AWS key is valid ''' 64 | try: 65 | client = session.client('sts') 66 | resp = client.get_caller_identity() 67 | if 'Account' in resp and 'Arn' in resp: 68 | return {'Account':resp['Account'], 'Arn':resp['Arn']} 69 | except (botocore.exceptions.ClientError, botocore.exceptions.NoCredentialsError): 70 | pass 71 | return None 72 | 73 | def _get_next_account(self): 74 | try: 75 | return next(self.acc_cycle) 76 | except StopIteration: 77 | logging.error('Empty account cycle') 78 | return None 79 | 80 | def create_resources(self): 81 | ''' Create AWS resrouces used for checking identities ''' 82 | for acc in self.acc_list: 83 | acc.create_resources() 84 | 85 | def delete_resources(self): 86 | ''' Delete AWS resrouces created by create_resources() ''' 87 | for acc in self.acc_list: 88 | acc.delete_resources() # Number of resources in each service 89 | self.acc_list = list() 90 | self.acc_cycle = cycle(self.acc_list) 91 | 92 | def check_existing_user(self, aws_id, target_user, aws_partition = 'aws'): 93 | ''' Check if the target_role exists in AWS account aws_id ''' 94 | return self._get_next_account().check_existing_user(aws_id, target_user, aws_partition=aws_partition) 95 | 96 | def check_existing_role(self, aws_id, target_role, aws_partition = 'aws'): 97 | ''' Check if the target_role exists in AWS account aws_id ''' 98 | return self._get_next_account().check_existing_role(aws_id, target_role, aws_partition=aws_partition) 99 | 100 | def check_existing_roles(self, aws_id, role_list, aws_partition = 'aws'): 101 | ''' Concurently check a list of roles. ''' 102 | return self._check_existing_identities('role', aws_id, role_list, aws_partition) 103 | 104 | def check_existing_users(self, aws_id, user_list, aws_partition = 'aws'): 105 | ''' Concurently check a list of users. ''' 106 | return self._check_existing_identities('user', aws_id, user_list, aws_partition) 107 | 108 | def _check_existing_identities(self, id_type, aws_id, id_list, aws_partition = 'aws'): 109 | ''' Concurently check a list of identities. id_type is either user or role ''' 110 | def _check_id(id_name): 111 | ''' Handler function for imap(). ''' 112 | if id_type == 'user': 113 | result = self.check_existing_user(aws_id, id_name, aws_partition=aws_partition) 114 | else : # default to role 115 | result = self.check_existing_role(aws_id, id_name, aws_partition=aws_partition) 116 | return (result, id_name) 117 | 118 | # Total number of resources 119 | thread_count = 0 120 | for _, svc_config in self.acc_config['SERVICES_CONFIG'].items(): 121 | if 'enabled' in svc_config and svc_config['enabled']: 122 | thread_count += svc_config['resource_count'] 123 | thread_count *= len(self.acc_list) 124 | 125 | # print("{} threads are created".format(thread_count)) 126 | pool = ThreadPool(thread_count) 127 | imap_it = pool.imap_unordered(_check_id, id_list) 128 | exist_role_list = list() 129 | for _ in range(len(id_list)): 130 | try: 131 | result_tuple = imap_it.next(3) # wait timeout 132 | if not result_tuple: 133 | continue 134 | if result_tuple[0]: 135 | exist_role_list.append(result_tuple[1]) 136 | except StopIteration: 137 | break 138 | except multiprocessing.TimeoutError: 139 | continue 140 | pool.close() 141 | pool.join() 142 | return exist_role_list 143 | 144 | def check_assumable_role(self, aws_id, role, aws_partition = 'aws'): 145 | return self._get_next_account().check_assumable_role(aws_id, role, aws_partition = aws_partition) 146 | 147 | def check_assumable_roles(self, aws_id, role_list, aws_partition = 'aws'): 148 | ''' Concurently assume a list of roles ''' 149 | def _check_assumable(role): 150 | result = self.check_assumable_role(aws_id, role, aws_partition=aws_partition) 151 | return (result, role) 152 | 153 | thread_count = len(self.acc_list) * 2 # Account# * 2 154 | pool = ThreadPool(thread_count) 155 | imap_it = pool.imap_unordered(_check_assumable, role_list) 156 | assumable_list = list() 157 | for _ in range(len(role_list)): 158 | try: 159 | result_tuple = imap_it.next(3) 160 | if not result_tuple: 161 | continue 162 | if result_tuple[0]: 163 | assumable_list.append(result_tuple) 164 | 165 | except StopIteration: 166 | break 167 | except multiprocessing.TimeoutError: 168 | continue 169 | pool.close() 170 | pool.join() 171 | return assumable_list 172 | 173 | def precheck(self, target_partition): 174 | ''' Check if there is at least one available resrouce to perform the test ''' 175 | if len(self.acc_list) < 1: 176 | logging.error('There is no available account to perform test') 177 | return False 178 | 179 | is_available = False 180 | empty_acc = list() # Store the account_handler to be removed 181 | for acc_obj in self.acc_list: 182 | # Check if this account is in the same partition as the target account 183 | acc_region = acc_obj.boto3_session.region_name 184 | if acc_region.startswith('us-gov-'): 185 | acc_part = 'aws-us-gov' 186 | elif acc_region.startswith('cn-'): 187 | acc_part = 'aws-cn' 188 | else: 189 | acc_part = 'aws' 190 | 191 | if acc_part.lower().strip() != target_partition.lower().strip(): 192 | logging.warning('Account {} is in different parition as the target account. It will not be used to perform test'.format(acc_obj.account_name)) 193 | # remove the account 194 | empty_acc.append(acc_obj) 195 | continue 196 | 197 | # Check if there are available AWS resources in this account to perform the test 198 | if acc_obj.precheck(): 199 | is_available = True 200 | else: 201 | logging.warning('Account {} has no available resource to perform test'.format(acc_obj.account_name)) 202 | # remove the account 203 | empty_acc.append(acc_obj) 204 | 205 | if empty_acc: 206 | for acc_obj in empty_acc: 207 | self.acc_list.remove(acc_obj) 208 | self.acc_cycle = cycle(self.acc_list) 209 | return is_available 210 | 211 | -------------------------------------------------------------------------------- /iamfinder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import sys 4 | import re 5 | import argparse 6 | import json 7 | import signal 8 | import logging 9 | import requests 10 | from multi_accounts_handler import MultiAccountsHandler 11 | 12 | 13 | BANNER = ''' 14 | _____ __ __ ______ _ _ 15 | |_ _| /\ | \/ | ____(_) | | 16 | | | / \ | \ / | |__ _ _ __ __| | ___ _ __ 17 | | | / /\ \ | |\/| | __| | | '_ \ / _` |/ _ \ '__| 18 | _| |_ / ____ \| | | | | | | | | | (_| | __/ | 19 | |_____/_/ \_\_| |_|_| |_|_| |_|\__,_|\___|_| 20 | ''' 21 | config_path = './config_dir/config.json' 22 | 23 | def enum_ids(target_account, id_type, id_file_path, aws_partition = 'aws'): 24 | ''' Enumerate users in the target_account ''' 25 | if not aws_scan.precheck(aws_partition): 26 | sys.exit('Please run --init command first to create necessary resources for testing') 27 | 28 | id_list = _get_id_list(id_file_path) 29 | logging.info('Starting to enumerate {} {} against AWS account {} ...'.format(len(id_list), id_type, target_account)) 30 | if id_type == 'user': 31 | return aws_scan.check_existing_users(target_account, id_list) 32 | elif id_type == 'role': 33 | return aws_scan.check_existing_roles(target_account, id_list) 34 | else: 35 | logging.error('unsupported identity type') 36 | 37 | def assume_roles(target_account, role_file_path, aws_partition = 'aws'): 38 | ''' Assume roles in the target_account ''' 39 | role_list = _get_id_list(role_file_path) 40 | logging.info('Attempting to assume {} roles in AWS account {} ...'.format(len(role_list), target_account)) 41 | return aws_scan.check_assumable_roles(target_account, role_list) 42 | 43 | def enum_assume_roles(target_account, aws_partition = 'aws'): 44 | ''' Enumerate a list of roles and attempt to assume the existing roles ''' 45 | existing_roles = enum_ids(target_account, 'role', scanner_config['ROLENAMES_FILE_PATH'], aws_partition=aws_partition) 46 | return aws_scan.check_assumable_roles(target_account, existing_roles, aws_partition=aws_partition) 47 | 48 | def _get_id_list(file_path): 49 | ''' Read ids stored in the text file and return as as list ''' 50 | if not (os.path.exists(file_path) and os.path.isfile(file_path)): 51 | sys.exit('Identity file does not exist. Please check the file path') 52 | 53 | ids = list() 54 | with open(file_path) as fp: 55 | for _, line in enumerate(fp): 56 | ids.append(line.strip()) 57 | return ids 58 | 59 | def validAWSPartition(aws_partition): 60 | ''' Check if the AWS partition name is valid ''' 61 | if not aws_partition in {'aws', 'aws-cn', 'aws-us-gov'}: 62 | logging.error('{} is not a valid aws partition'.format(aws_partition)) 63 | return False 64 | return True 65 | 66 | def validAWSId(aws_id, aws_partition = 'aws'): 67 | ''' Check if aws_id is a valid aws ID in aws_partition. Expected input is a string of 12 digits ''' 68 | awsid_re = re.compile(r'\d{12}') 69 | if not awsid_re.match(aws_id.strip()): 70 | logging.error('AWS ID must be 12 digits. {} is not valid format.'.format(aws_id)) 71 | return False 72 | 73 | if not validAWSPartition(aws_partition): 74 | return False 75 | 76 | if aws_partition == 'aws': 77 | testURL = 'https://{}.signin.aws.amazon.com/console/'.format(aws_id) 78 | elif aws_partition == 'aws-us-gov': 79 | testURL = 'https://{}.signin.amazonaws-us-gov.com/console/'.format(aws_id) 80 | elif aws_partition == 'aws-cn': 81 | testURL = 'https://{}.signin.amazonaws.cn/console/'.format(aws_id) 82 | 83 | try: 84 | resp = requests.request(url=testURL, method='GET') 85 | if resp.status_code == 200: 86 | return True 87 | else: 88 | logging.error('AWS ID {} does not exist in partiion {}.'.format(aws_id, aws_partition)) 89 | return False 90 | except requests.RequestException as err: 91 | logging.error(err) 92 | return False 93 | 94 | def load_config(): 95 | ''' Read the json config file ''' 96 | global scanner_config 97 | if not (os.path.exists(config_path) and os.path.isfile(config_path)): 98 | sys.exit('Config file does not exist. Please add a config file to {}'.format(config_path)) 99 | with open(config_path, newline='', encoding='utf-8') as fhand: 100 | try: 101 | scanner_config = json.load(fhand) 102 | except json.decoder.JSONDecodeError as e: 103 | sys.exit('Fail to load config file. Please check the config file at {}.\n{} '.format(config_path, e)) 104 | 105 | def parseArgs(): 106 | load_config() 107 | 108 | def _add_common_args(parser, file_path=None): 109 | if file_path: 110 | parser.add_argument('--file_path', default=file_path, help='Specify the file containing a list identities.') 111 | parser.add_argument('--aws_id', help='Specify the 12 digits aws account ID of the target.') 112 | parser.add_argument('--aws_part', default='aws', help='Specify partition of the AWS account. Must be either aws, aws-cn, or aws-us-gov') 113 | 114 | def _check_common_args(args): 115 | if not args.aws_id: 116 | sys.exit('Pleaase provide --aws_id') 117 | if not validAWSId(args.aws_id, aws_partition=args.aws_part): 118 | sys.exit('Please address the issues and restart') 119 | 120 | def _display_enum_id_result(id_type, result): 121 | if result: 122 | logging.info('Found {} {} in account {}'.format(len(result), id_type, args.aws_id)) 123 | for r in result: 124 | logging.info(r) 125 | else: 126 | logging.info('IAMFinder did not find any {} 😔'.format(id_type)) 127 | 128 | def _display_assu_role_result(result): 129 | if result: 130 | logging.info('Successfully assume {} roles in account {}\n'.format(len(result), args.aws_id)) 131 | for r in result: 132 | r = r[0] 133 | logging.info('Role ARN:{}'.format(r['AssumedRoleUser']['Arn'])) 134 | logging.info('AccessKeyId: {}\nSecretAccessKey: {}\nSessionToken: {}\n\n'.format( 135 | r['Credentials']['AccessKeyId'],r['Credentials']['SecretAccessKey'],r['Credentials']['SessionToken'] 136 | )) 137 | else: 138 | logging.info('IAMFinder could not successfully assume any role 😔') 139 | 140 | # Add commands and arguments 141 | parser = argparse.ArgumentParser(description='IAMFinder checks for existing users and IAM roles in an AWS account') 142 | subparser = parser.add_subparsers( 143 | title='Command', 144 | description='The action to perform', 145 | dest='sub_cmd', 146 | help='Enter a command to execute' 147 | ) 148 | subparser.add_parser('init', help='Create aws resoruces necessary for IAMFinder') 149 | 150 | subparser.add_parser('cleanup', help='Remove aws resoruces created by the init command') 151 | 152 | er_parser = subparser.add_parser('enum_role', help='Check if any role in the role file (default: ./config_dir/rolelist.txt) exists in the target account. Required argument: --aws_id. Optional arguments: --file_path, --aws_part, --assume. If --assume is specified, the scanner will attempt to assume the identified roles' ) 153 | _add_common_args(er_parser, file_path=scanner_config['ROLENAMES_FILE_PATH']) 154 | er_parser.add_argument('--assume', action='store_true', help='If specified, IAMFinder will attempt to assume the identified roles.') 155 | 156 | # https://github.com/danielmiessler/SecLists/tree/master/Usernames 157 | eu_parser = subparser.add_parser('enum_user', help='Check if any user in the user file (default: ./config_dir/userlist.txt) exists in the target account. Required argument: --aws_id. Optional arguments: --file_path, --aws_part' ) 158 | _add_common_args(eu_parser, file_path=scanner_config['USERNAMES_FILE_PATH']) 159 | 160 | ar_parser = subparser.add_parser('assu_role', help='Check if any role in the role file (default: ./config_dir/rolelist.txt) can be assumed. Required argument: --aws_id. Optional arguments: --file_path, --aws_part.') 161 | _add_common_args(ar_parser, file_path=scanner_config['ROLENAMES_FILE_PATH']) 162 | 163 | ca_parser = subparser.add_parser('check_awsid', help='Check if an AWS ID is valid and exist. Required argument: --aws_id. Optional arguments: --aws_part') 164 | _add_common_args(ca_parser) 165 | 166 | # subparser.add_parser('test', help='For testing purpose') 167 | args = parser.parse_args() 168 | 169 | # Handle commands and arguments 170 | if args.sub_cmd == 'check_awsid': 171 | # This is a special command that doesn't need aws_scan object. 172 | _check_common_args(args) 173 | logging.info('{} is a valid and confirmed AWS ID in partition {}'.format(args.aws_id, args.aws_part)) 174 | return 175 | 176 | global aws_scan 177 | aws_scan = MultiAccountsHandler(scanner_config) 178 | 179 | if args.sub_cmd == 'init': 180 | logging.info(BANNER) 181 | aws_scan.create_resources() 182 | elif args.sub_cmd == 'cleanup': 183 | logging.info(BANNER) 184 | aws_scan.delete_resources() 185 | elif args.sub_cmd == 'enum_user': 186 | _check_common_args(args) 187 | result = enum_ids(args.aws_id, 'user', args.file_path, aws_partition=args.aws_part) 188 | _display_enum_id_result('user', result) 189 | elif args.sub_cmd == 'enum_role': 190 | _check_common_args(args) 191 | result = enum_ids(args.aws_id, 'role', args.file_path, aws_partition=args.aws_part) 192 | _display_enum_id_result('role', result) 193 | if args.assume: 194 | logging.info('\nAttempting to assume the identified roles ...') 195 | result = assume_roles(args.aws_id, args.file_path) 196 | _display_assu_role_result(result) 197 | elif args.sub_cmd == 'assu_role': 198 | _check_common_args(args) 199 | result = assume_roles(args.aws_id, args.file_path) 200 | _display_assu_role_result(result) 201 | elif args.sub_cmd == 'test': 202 | pass 203 | 204 | def _signal_handler(sig, frame): 205 | ''' Interrupt signal handler ''' 206 | sys.exit('\nInterrupt signal received. Exit IAMFinder ...') 207 | 208 | signal.signal(signal.SIGINT, _signal_handler) 209 | 210 | def main(): 211 | logging.config.dictConfig({ 212 | 'version': 1, 213 | 'disable_existing_loggers': True, 214 | }) 215 | logging.basicConfig(level=logging.INFO, format='%(module)s: %(message)s') 216 | 217 | parseArgs() 218 | 219 | if __name__ == '__main__': 220 | ''' 221 | Executed only when the script is directly called from python, i.e., not imported as a module 222 | ''' 223 | main() -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | _____ __ __ ______ _ _ 3 | |_ _| /\ | \/ | ____(_) | | 4 | | | / \ | \ / | |__ _ _ __ __| | ___ _ __ 5 | | | / /\ \ | |\/| | __| | | '_ \ / _` |/ _ \ '__| 6 | _| |_ / ____ \| | | | | | | | | | (_| | __/ | 7 | |_____/_/ \_\_| |_|_| |_|_| |_|\__,_|\___|_| 8 | ``` 9 | # IAMFinder 10 | IAMFinder enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be [assumed anonymously](https://aws.amazon.com/premiumsupport/knowledge-center/s3-object-change-anonymous-ownership/). The tool was developed during a [red team exercise](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research) and it implemented the technique described in this [blog](https://unit42.paloaltonetworks.com/aws-resource-based-policy-apis/). Some features of IAMFinder include: 11 | 12 | + **Silent**. IAMFinder doesn't trigger any alert or leave any log at the target account. Because the enumeration is performed in your accounts, the logs only show up in your accounts. However, the target account will notice if IAMFinder attempts to assume roles. 13 | + **High enumeration rate**. IAMFinder can achieve a higher enumeration rate by: 14 | + Concurrently invoking APIs of multiple AWS services (e.g., S3, KMS and IAM) in the account used to perform the test. 15 | + Concurrently using multiple AWS accounts to perform the test. 16 | + **Modularized and extensible**. One can implement and integrate additional AWS APIs described in our previous [blog](https://unit42.paloaltonetworks.com/aws-resource-based-policy-apis/) on information leakage. 17 | + **Cross-partitions**. IAMFinder has been tested in all three [AWS partitions](https://docs.amazonaws.cn/en_us/general/latest/gr/aws-arns-and-namespaces.html), AWS Standard (aws), AWS GovCloud U.S. (aws-us-gov), and AWS China (aws-cn). 18 | + **Zero cost**. The resources that IAMFinder creates in each service don’t have actual workloads and should not incur any costs. 19 | 20 | IAMFinder's performace evaluation can be found in this [blog](https://unit42.paloaltonetworks.com/iamfinder/). 21 | # Prerequisites 22 | IAMFinder is built with Python 3 and [AWS Boto3 SDK](https://aws.amazon.com/sdk-for-python/). An active AWS account and a Python 3.5+ interpreter are needed to run the tool. 23 | 24 | + [Create an AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) 25 | + [Python3](https://www.python.org/downloads/) 26 | + [Python package manager](https://pip.pypa.io/en/stable/installing/) 27 | 28 | ## AWS credentials 29 | IAMFinder needs an [access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or a [security token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) to invoke AWS APIs programmatically. The users or roles that IAMFinder uses need to have necessary [permissions]() to call a set of AWS APIs. 30 | 31 | + [Create an IAM user access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) 32 | + [Obtain a security token through AssumeRole](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/) 33 | 34 | ## Permissions 35 | The required permissions depend on the AWS services that IAMFinder uses. IAMFinder can work with one or multiple AWS services. Using multiple services concurrently can achieve a higher enumeration rate because AWS API gateway enforces a rate-limit on each API. IAMFinder currently implements the APIs for four AWS services, IAM, S3, SQS, and KMS. These services can be enabled or disabled in the [config.json](https://github.com/prisma-cloud/IAMFinder/blob/main/config_dir/config.json) file. [AWS_Policy.json](https://github.com/prisma-cloud/IAMFinder/blob/main/AWS_Policy.json) contains the minimal set of permissions needed to use all four services. The exact permissions required for each service are as follows: 36 | 37 | #### `S3` 38 | ```bash 39 | "s3:PutBucketPublicAccessBlock" 40 | "s3:CreateBucket" 41 | "s3:ListAllMyBuckets" 42 | "s3:PutBucketPolicy" 43 | "s3:GetBucketLocation" 44 | "s3:DeleteBucket" 45 | ``` 46 | 47 | #### `KMS` 48 | ```bash 49 | "kms:PutKeyPolicy" 50 | "kms:GetKeyPolicy" 51 | "kms:DisableKey" 52 | "kms:ListKeys" 53 | "kms:ScheduleKeyDeletion" 54 | "kms:ListAliases" 55 | "kms:CreateAlias" 56 | "kms:CreateKey" 57 | ``` 58 | 59 | #### `SQS` 60 | ```bash 61 | "sqs:ListQueues" 62 | "sqs:DeleteQueue" 63 | "sqs:CreateQueue" 64 | "sqs:SetQueueAttributes" 65 | ``` 66 | 67 | #### `IAM` 68 | ```json 69 | "iam:UpdateAssumeRolePolicy" 70 | "iam:ListRoles" 71 | "iam:CreateRole" 72 | "iam:DeleteRole" 73 | ``` 74 | 75 | Note that when more AWS services described in the [blog](https://unit42.paloaltonetworks.com/aws-resource-based-policy-apis/) are integrated, the permissions policy will be updated. 76 | 77 | + [Create an IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) 78 | + [Create an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) 79 | + [Create an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) 80 | 81 | 82 | # Installation 83 | IAMFinder has only two dependent libraries, [boto3](https://pypi.org/project/boto3/) and [requests](https://pypi.org/project/requests/). It is straightforward to run in any platform and environment. We also provide a Dockerfile for users who prefer to run it inside a container. 84 | 85 | ### Install on a host: 86 | ```bash 87 | git clone https://github.com/prisma-cloud/IAMFinder.git 88 | cd IAMFinder 89 | pip3 install -r requirements.txt 90 | ``` 91 | 92 | ### Build a Docker image 93 | ```bash 94 | git clone https://github.com/prisma-cloud/IAMFinder.git 95 | cd IAMFinder 96 | docker build -t iamfinder . 97 | ``` 98 | 99 | # Configuration 100 | IAMFinder needs a configuration file ([config_dir/config.json](https://github.com/prisma-cloud/IAMFinder/blob/main/config_dir/config.json)) and a credential file ([config_dir/creds.json](https://github.com/prisma-cloud/IAMFinder/blob/main/config_dir/creds.json)) to start. 101 | 102 | `config.json` 103 | ```json 104 | { 105 | "CREDS_PATH": "./config_dir/creds.json", 106 | "ROLENAMES_FILE_PATH": "./config_dir/rolelist.txt", 107 | "USERNAMES_FILE_PATH": "./config_dir/userlist.txt", 108 | "SERVICES_CONFIG":{ 109 | "s3":{ 110 | "enabled": true, 111 | "resource_type":"s3", 112 | "resource_prefix":"iamcheckers3", 113 | "resource_count":3 114 | }, 115 | "kms":{ 116 | "enabled": true, 117 | "resource_type":"kms", 118 | "resource_prefix":"iamcheckerkms", 119 | "resource_count":3 120 | }, 121 | "sqs":{ 122 | "enabled": true, 123 | "resource_type":"sqs", 124 | "resource_prefix":"iamcheckersqs", 125 | "resource_count":2 126 | }, 127 | "iam":{ 128 | "enabled": true, 129 | "resource_type":"iam", 130 | "resource_prefix":"iamcheckeriam", 131 | "resource_count":2 132 | } 133 | } 134 | } 135 | ``` 136 | Each AWS service can be individually configured in `config.json`. One can enable or disable a service by toggling the "enabled" field. The "resource_prefix" is an identifier used for naming and locating the resources created in AWS accounts. It should not be changed after the resources have been created with the `init` command. 137 | 138 | `creds.json` 139 | ```json 140 | { 141 | "account1": { 142 | "Region": "us-west-1", 143 | "Active": true, 144 | "AccessKeyId": "", 145 | "SecretAccessKey": "" 146 | }, 147 | "account2": { 148 | "Region": "us-east-1", 149 | "Active": false, 150 | "AccessKeyId": "", 151 | "SecretAccessKey": "" 152 | }, 153 | "account3": { 154 | "Region": "us-east-2", 155 | "Active": true, 156 | "AccessKeyId": "", 157 | "SecretAccessKey": "", 158 | "SessionToken": "" 159 | } 160 | } 161 | ``` 162 | IAMFinder can use multiple AWS accounts to enumerate identities concurrently. Due to the rate-limit on AWS API gateway, using multiple AWS accounts is the most effective way to boost enumeration rate. Each account can be enabled or disabled by toggling the "Active" field in `creds.json`. Either a user's [access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) or [security token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) can be provided for each account. 163 | 164 | # Usage 165 | ``` 166 | usage: iamfinder.py [-h] 167 | {init,cleanup,enum_role,enum_user,assu_role,check_awsid} 168 | ... 169 | 170 | IAMFinder checks for existing users and IAM roles in an AWS account 171 | 172 | optional arguments: 173 | -h, --help show this help message and exit 174 | 175 | subcommand: 176 | The subcommand to execute 177 | 178 | {init,cleanup,enum_role,enum_user,assu_role,check_awsid} 179 | Enter a command to execute 180 | init Create aws resoruces necessary for IAMFinder 181 | cleanup Remove aws resoruces created by the init command 182 | enum_role Check if any role in the role file (default: 183 | ./config_dir/rolelist.txt) exists in the target 184 | account. Required argument: --aws_id. Optional 185 | arguments: --file_path, --aws_part, --assume. If 186 | --assume is specified, the scanner will attempt to 187 | assume the identified roles 188 | enum_user Check if any user in the user file (default: 189 | ./config_dir/userlist.txt) exists in the target 190 | account. Required argument: --aws_id. Optional 191 | arguments: --file_path, --aws_part 192 | assu_role Check if any role in the role file (default: 193 | ./config_dir/rolelist.txt) can be assumed. Required 194 | argument: --aws_id. Optional arguments: --file_path, 195 | --aws_part. 196 | check_awsid Check if an AWS ID is valid and exist. Required 197 | argument: --aws_id. Optional arguments: --aws_part 198 | ``` 199 | 200 | ## Initialization 201 | `init` command creates necessary AWS resources for IAMFinder to perform the test. `init` only needs to be run once. 202 | ```bash 203 | python3 iamfinder.py init 204 | ``` 205 | 206 | ## Enumerate Identities 207 | Enumerte users in AWS account 123456789012 using the default wordlist `./config_dir/userlist.txt`. 208 | ```bash 209 | python3 iamfinder.py enum_user --aws_id 123456789012 210 | ``` 211 | 212 | Enumerte IAM roles in AWS account 123456789012 usig wordlist `myrolelist.txt` 213 | ```bash 214 | python3 iamfinder.py enum_role --aws_id 987654321098 --file_path ./config_dir/myrolelist.txt 215 | ``` 216 | 217 | Enumerte IAM roles in aws-us-gov account 987654321098. Note that you need an aws-us-gov account in order to enumerate an aws-us-gov target. Same as aws-cn 218 | ```bash 219 | python3 iamfinder.py enum_role --aws_id 987654321098 --aws_part aws-us-gov 220 | ``` 221 | 222 | Check if 135792468100 is a valid account in aws-cn partition. `check_awsid` can be performed without an active AWS account and `init` process. 223 | ```bash 224 | python3 iamfinder.py check_awsid --aws_id 135792468100 --aws_part aws-cn 225 | ``` 226 | 227 | Delete all the AWS resources created by `init` command. 228 | ```bash 229 | python3 iamfinder.py cleanup 230 | ``` 231 | 232 | ## Run in Docker 233 | 234 | Place the config and credential files in config_dir and mount this directory to the container. 235 | ``` 236 | docker run --rm -it -v [absolute path to config_dir]:/home/iamuser/config_dir/ iamfinder [command] 237 | ``` 238 | Examples: 239 | ```bash 240 | docker run --rm -it -v /home/user0/projects/IAMFinder/:/home/iamuser/config_dir/ iamfinder init 241 | 242 | docker run --rm -it -v /home/user0/projects/IAMFinder/:/home/iamuser/config_dir/ iamfinder enum_user --aws_id 123456789012 243 | ``` 244 | -------------------------------------------------------------------------------- /config_dir/rolelist.txt: -------------------------------------------------------------------------------- 1 | AWSLambdaBasicExecutionRole 2 | amplify 3 | service 4 | aws 5 | AmazonEC2ContainerServiceforEC2Role 6 | AmazonECSTaskExecutionRolePolicy 7 | lambda 8 | lambdaexecutionrole 9 | AmazonEC2RoleforSSM 10 | ecsTaskExecutionRole 11 | lambda_basic_execution 12 | AWSLambdaVPCAccessExecutionRole 13 | role 14 | AmazonEC2ContainerServiceRole 15 | iamrolelambdaexecution 16 | AWSCodeDeployRole 17 | unauthrole 18 | authrole 19 | AWSBatchServiceRole 20 | my 21 | AWSLambdaENIManagementAccess 22 | AmazonAPIGatewayPushToCloudWatchLogs 23 | dwhRole 24 | elb 25 | test 26 | ecs 27 | OrganizationAccountAccessRole 28 | terraform 29 | node 30 | autoscaling 31 | AmazonSageMaker 32 | AWSConfigRole 33 | AmazonRDSEnhancedMonitoringRole 34 | iam_for_lambda 35 | admin 36 | master 37 | ecsInstanceRole 38 | eks 39 | AWSGlueServiceRole 40 | S3Access 41 | AWSLambdaRole 42 | eksctl 43 | internal 44 | config 45 | codebuild 46 | AWS 47 | JenkinsPrimerAccess 48 | AmazonEC2ContainerServiceAutoscaleRole 49 | lambda_role 50 | iamrolelambda 51 | AmazonElasticMapReduceforEC2Role 52 | AWSElasticBeanstalkEnhancedHealth 53 | myRedshiftRole 54 | AmazonElasticMapReduceRole 55 | instancerole 56 | Admin 57 | AmazonEC2SpotFleetRole 58 | AmazonEC2RoleforAWSCodeDeploy 59 | AWSElasticBeanstalkService 60 | AmazonEC2SpotFleetTaggingRole 61 | rds 62 | cross 63 | CodeDeployServiceRole 64 | default 65 | dev 66 | lambdarole 67 | lambda_exec_role 68 | example 69 | codepipeline_role 70 | ecs_instance_role 71 | ec2role 72 | ecs_service_role 73 | AWSLambdaDynamoDBExecutionRole 74 | pre 75 | instance_role 76 | AmazonSSMAutomationRole 77 | ec2 78 | ecs-service-role 79 | s3_access_role 80 | ecs_role 81 | ecsServiceRole 82 | s3 83 | MyRole 84 | ecs-instance-role 85 | AWSLambdaKinesisExecutionRole 86 | demo 87 | bastion 88 | ecsservicerole 89 | demo-node 90 | cyril 91 | test_role 92 | codebuild_role 93 | app 94 | ROLE_NAME 95 | demo 96 | main 97 | codedeployservicerole 98 | ecsAutoscaleRole 99 | ecs_service 100 | iamrole 101 | myrole 102 | AuroraAccessRole 103 | updateroleswithidpfunctionrole 104 | iam_role 105 | nodes 106 | this 107 | Lambda 108 | AWSCloudFormationStackSetExecutionRole 109 | platform 110 | AWSConfigRulesExecutionRole 111 | user 112 | UdacityFlaskDeployCBKubectlRole 113 | redshift 114 | role1 115 | apigAwsProxyRole 116 | serverless 117 | cluster 118 | 99c68cd1 119 | AWSCodeDeployRoleForLambda 120 | rootrole 121 | AWSCodePipelineServiceRole 122 | terraform-eks-demo-node 123 | AWSLambdaSQSQueueExecutionRole 124 | spot 125 | AutoScalingNotificationAccessRole 126 | demo-cluster 127 | ecs_task_execution_role 128 | lambda_exec 129 | k8s 130 | AWSServiceRoleForConfig 131 | WfmProducerRole 132 | api 133 | codepipeline 134 | AWSBackupServiceRolePolicyForBackup 135 | EMR_EC2_DefaultRole 136 | someRole 137 | AmazonEC2ContainerServiceEventsRole 138 | lambda_dynamo 139 | Administrator 140 | UploadPulumiReleases 141 | codedeployec2servicerole 142 | i 143 | CodeDeployEC2ServiceRole 144 | ci 145 | ecs_execution_role 146 | ecs_instance 147 | ec2_role 148 | cloudformation 149 | gcdt 150 | servicerole 151 | ssm 152 | LambdaRole 153 | AmazonSSMMaintenanceWindowRole 154 | AWS_Events_Invoke_Targets 155 | RoleName 156 | cloudwatch 157 | AmazonElasticMapReduceforAutoScalingRole 158 | custodian 159 | tf 160 | some 161 | AmazonDMSVPCManagementRole 162 | jenkins 163 | ecsEventsRole 164 | DeploymentRole 165 | myapp 166 | CloudTrail_CloudWatchLogs_Role 167 | kubernetes 168 | foo 169 | events 170 | RedshiftCopyUnload 171 | dynamodb 172 | StatesExecutionRole 173 | terraform-eks-demo-cluster 174 | ROLE 175 | roleName 176 | for 177 | firehose_delivery_role 178 | AWSControlTowerExecution 179 | AWSConfigRoleForOrganizations 180 | app_instance 181 | codedeploytrustrole 182 | EKS 183 | rolename 184 | developer 185 | AWSGreengrassResourceAccessRolePolicy 186 | MyRedshiftRole 187 | policy 188 | instance 189 | CodeCommitReview 190 | sra 191 | LambdaExecutionRole 192 | ecsTaskRole 193 | role_name 194 | Test 195 | codebuildrole 196 | io 197 | XA 198 | codepipelinerole 199 | AmazonDMSCloudWatchLogsRole 200 | allow 201 | hello 202 | autoscalingrole 203 | lambda_s3_exec_role 204 | codebuild-role 205 | ZappaLambdaExecution 206 | prod 207 | emaccess 208 | worker 209 | sagemaker 210 | serverless_example_lambda 211 | MyFunction 212 | Role 213 | ec2instancerole 214 | CloudCustodian 215 | iam 216 | ECSTASKS 217 | apigatewaycloudwatchlogsrole 218 | AmazonPersonalizeFullAccess 219 | ecs_autoscale_role 220 | testRole 221 | eksServiceRole 222 | AutomationServiceRole 223 | Redshift 224 | appsync 225 | Cognito_edisonDemoKinesisUnauth_Role 226 | CloudFormationRole 227 | KubernetesAdmin 228 | S3Access 229 | noteswithamplify 230 | myRole 231 | Elastic_Transcoder_Default_Role 232 | PulumiUploadRelease 233 | AWSAppSyncPushToCloudWatchLogs 234 | storage 235 | guardduty 236 | codepipeline-role 237 | kinesis 238 | aviatrix 239 | code 240 | DummyRole 241 | concourse 242 | WDPRPCM 243 | MyLambdaRole 244 | SageMakerRole 245 | eks-cluster 246 | ecs_task_role 247 | elasticloadbalancing 248 | ops 249 | ReadOnly 250 | eks-node 251 | opsworksservicerole 252 | lambdafunctionrole 253 | operator 254 | lambda_function 255 | CloudCustodianRole 256 | cc116_lambda 257 | basic 258 | task_role 259 | administrator 260 | Lemur 261 | ecs_host_role 262 | APIGatewayLambdaExecRole 263 | ls1lyg7 264 | EMR_DefaultRole 265 | componentrole 266 | codedeploy 267 | workers 268 | experience 269 | readonly 270 | SomeRole 271 | iot 272 | AmazonDMSRedshiftS3Role 273 | lambda_role_ 274 | webserverrole 275 | 7f 276 | LaunchRole 277 | ServiceCatalogEndusers 278 | elasticbeanstalk 279 | spotfleet 280 | spinnakerManaged 281 | foobar 282 | lambda_dataflow 283 | your 284 | task 285 | AWSIoTLogging 286 | mynewrole 287 | blockcert 288 | xaccounts3access 289 | es 290 | apex 291 | master_role 292 | AdminRole 293 | firehose_role 294 | NeptuneAccessRole 295 | roleToAssume 296 | infra 297 | name 298 | execution_role 299 | CodeStarWorker 300 | AWSDataPipelineRole 301 | web 302 | AWSIoTThingsRegistration 303 | opsworksinstancerole 304 | Developer 305 | alexa 306 | CodeBuildServiceRole 307 | us 308 | testLEBRole 309 | data 310 | aws_eks_cluster_role 311 | devel 312 | lambda-role 313 | AWSCloudFormationStackSetAdministrationRole 314 | worker_role 315 | sample 316 | CostManagement 317 | pipeline 318 | FederatedWebIdentityRole 319 | AWSBackupDefaultServiceRole 320 | AmazonEC2RoleforDataPipelineRole 321 | ec2_iam_role 322 | workflow 323 | Terraform 324 | read 325 | MaintenanceWindowsRole 326 | ADFS 327 | codepipelinelambdarole 328 | AmazonEC2SpotFleetAutoscaleRole 329 | apigateway 330 | acct 331 | EC2 332 | AWSDeepRacerRoboMakerAccessRole 333 | pywren_exec_role_1 334 | apex_lambda_function 335 | support 336 | build 337 | bastion_role 338 | src 339 | Accounting 340 | ec2-role 341 | ca 342 | iam_role_for_lambda 343 | executionrole 344 | API2LambdaExecRole 345 | iamroleapigateway 346 | IAM_ROLE_NAME 347 | external 348 | Custodian 349 | AccessRole 350 | s3_role 351 | ecs-ec2-role 352 | lex 353 | CodePipelineServiceRole 354 | s3_access 355 | opg 356 | blog 357 | soprasteria/remote 358 | ask 359 | my_role 360 | TeamRole 361 | elasticsearch 362 | iam_emr_profile_role 363 | ingestion 364 | AzureCostManagementRole 365 | catalogue 366 | instance-role 367 | bedrock 368 | aws_batch_service_role 369 | lambda_VPC 370 | execution 371 | micros 372 | cloud 373 | mylambdarole 374 | cloud9 375 | tester 376 | todo 377 | jenkinsrole 378 | slackGoogleRole 379 | CodeDeploy 380 | KubernetesNode 381 | WDPR 382 | DL 383 | photoalbums 384 | iam_emr_service_role 385 | ansible_lambda_role 386 | fn 387 | AWS_Lambda_ 388 | helloworld 389 | SB 390 | client 391 | AWSDataLifecycleManagerDefaultRole 392 | assume 393 | lambda_execution_role 394 | codebuild_assume_role 395 | eksworkshop 396 | s3-mybucket-role 397 | FederatedWebIdentityRole 398 | lambda_xyz 399 | TestRole 400 | firehose 401 | MythicalMysfitsServiceCodeBuildServiceRole 402 | sts 403 | react 404 | ansible 405 | elasticache 406 | AWSShieldDRTAccessPolicy 407 | AWSGlueServiceNotebookRole 408 | DataPipelineDefaultResourceRole 409 | photo 410 | devops 411 | asd 412 | ecsinstancerole 413 | ecs_task 414 | TeamRole/MasterKey 415 | admingrouprole 416 | cfnrole 417 | AmazonComprehendServiceRole 418 | ServiceRole 419 | something 420 | lambdaRole 421 | inspector 422 | IAM 423 | CodeCommitReview 424 | ROLENAME 425 | CodeDeployDemo 426 | masters 427 | DataPipelineDefaultRole 428 | S3 429 | api_gateway_cloudwatch_global 430 | JenkinsLambdaRole 431 | invmaestrosimporterrole 432 | parallelcluster 433 | enhanced_monitoring 434 | SampleRole 435 | LambdaFullAccess 436 | cfn 437 | FullAccess 438 | AWSControlTowerStackSetRole 439 | resource 440 | CrossAccountRole 441 | digitisation 442 | ComprehendMedicalBatchProcessingRole 443 | ecr 444 | jenkins_role 445 | xxxx 446 | AWSElasticBeanstalk 447 | adminrole 448 | testing 449 | invwritersuggestrole 450 | testrole 451 | IoTEventsRole 452 | codebuildservicerole 453 | ecs_task_iam_role 454 | JobFlowRole 455 | MyRoleName 456 | XXX 457 | the 458 | alexaskillfuncrole 459 | EcsService 460 | deployment 461 | ecs_task_execution 462 | MediaConvertRole 463 | LandingZoneDeploymentLambdaRole 464 | bar 465 | c7n 466 | automation 467 | deploy 468 | kube 469 | lambda_iam 470 | pipelinerole 471 | packer 472 | AwsConfigRecorder 473 | YourIamRole 474 | basic_lambda_role 475 | irrelevant 476 | invdaysummarysales 477 | monitoring 478 | enterpriselogaccessiamrole 479 | vault 480 | invsaleswriterrole 481 | invsalesdecompose 482 | invsalesretrynotifier 483 | flow 484 | project 485 | Auditors 486 | frontend 487 | role 488 | ecsinstancepolicy 489 | QA 490 | alb 491 | tx_lambda_function 492 | auth 493 | adf 494 | ecsrole 495 | servicecatalog 496 | DV 497 | ebs 498 | ecs_iam_role 499 | replication 500 | LambdaServiceRole 501 | somerole 502 | MythicalMysfitsServiceCodePipelineServiceRole 503 | tectonic 504 | TSI_Base_FullAccess 505 | fh 506 | amplifyreactapp 507 | k8sDev 508 | k8sInteg 509 | tf-ecs-example-instance-role 510 | s3access 511 | vmimport 512 | iam_for_exec_lambda 513 | ExampleRole 514 | TerraformRole 515 | testWeek4 516 | google 517 | AnsibleTestRole 518 | dest 519 | AWSIoTRuleActions 520 | lambda_iam_role 521 | role2 522 | ECS 523 | CWLtoKinesisRole 524 | flowlogsRole 525 | YOUR_ROLE_NAME 526 | OrganizationAccountAccess 527 | redshift_s3_role 528 | soprasteria/iac 529 | s3deletebucketsrole 530 | k8sAdmin 531 | nodeinstancerole 532 | lambdaFunction 533 | BATCH 534 | www 535 | csr 536 | account 537 | ecsExecutionRole 538 | Role1 539 | Cognito_DynamoPoolUnauth 540 | udacity 541 | tailor 542 | swf 543 | clusterinstancerole 544 | AUTH_AWS_IAM 545 | implicitapifunctionrole 546 | organizations 547 | Jenkins 548 | deployer 549 | access 550 | a 551 | xxx 552 | service_role 553 | dynamocognito 554 | CliLambdaDeploy 555 | kappa/kappa 556 | cluster-role 557 | consul 558 | LambdaExecute 559 | sam 560 | poweruser 561 | accountname 562 | alexa_lambda_role 563 | get 564 | ecs-task-role 565 | abc 566 | DeveloperRole 567 | DevOps 568 | lambdaiamrole 569 | WebIdentity 570 | TestCognito 571 | MediaLiveAccessRole 572 | asg 573 | a0007 574 | ApplicationAutoScalingForAmazonAppStreamAccess 575 | Cognito_EdisonAppUnauth_Role 576 | greengrass_cfn_ 577 | FullAdmin 578 | Deployer 579 | PD 580 | PowerUser 581 | emr 582 | cloudtrail 583 | AWSBackupServiceRolePolicyForRestores 584 | KinesisFirehose 585 | media 586 | node-role 587 | MythicalMysfitsCoreStack 588 | Shibboleth 589 | github 590 | human 591 | mySpectrumRole 592 | functionrole 593 | defaultrole 594 | ssmaccessrole 595 | auth0 596 | EMR_EC2_DefaultRolealldev 597 | CodePipelineDeploymentRole 598 | pipeline_role 599 | SaaaS_Cloud 600 | circleci 601 | lambda_invoke_lambda 602 | profile 603 | tf_example_ecs_role 604 | sso 605 | codedeployrole 606 | first 607 | invocation_role 608 | 0 609 | sandbox 610 | amplifyapp 611 | sns 612 | wellcomecollection 613 | lists3bucketsrole 614 | lambda_kinesis_role 615 | iamrolecustomresourceslambdaexecution 616 | C7N 617 | lambda_basic_vpc_execution 618 | TemporaryCredentials 619 | autoscaling_role 620 | cloudformationdeployer 621 | consul-join 622 | slack 623 | CloudCustodianAdminRole 624 | gitlab 625 | BaseIAMRole 626 | event 627 | lambda/cc 628 | lambda/ops 629 | CodeDeployRole 630 | EC2Role 631 | DevSpinnakerManagedRole 632 | AmazonSNSRole 633 | admin_role 634 | lambda_admin_role 635 | cognito 636 | Dynamo 637 | root 638 | controller 639 | authenticated 640 | NodeInstanceRole 641 | SecurityMonkey 642 | dino 643 | EC2AMICreate 644 | SecurityMonkeyInstanceProfile 645 | ec2InstanceRole 646 | codepipelinetrustrole 647 | public 648 | CrossAccountSignin 649 | lambda/sre 650 | ActionRole 651 | kube-master 652 | spinnaker 653 | csoc_adminvm 654 | PayerAccountAccessRole 655 | User 656 | mainfunctionexecutionrole 657 | developers 658 | AccountReviewLambdaAutomationRole 659 | sms 660 | ecs-instance 661 | production 662 | kube-worker 663 | staging 664 | app_role 665 | LambdaFunctionsRole 666 | ecs-task-execution-role 667 | ECSTaskRole 668 | kiam 669 | GFILambda 670 | ebapprole 671 | kafka 672 | Ab2dInstanceRole 673 | mySnsRole 674 | natrole 675 | channels 676 | SNSSuccessFeedback 677 | role_arn 678 | marketingadmin 679 | MYAPP 680 | ecs_task_assume 681 | dms 682 | CodeBuildRole 683 | s3-role 684 | glue 685 | chalice 686 | ApiGwLogger 687 | codedeploy_role 688 | CodeStar 689 | AmazonAppStreamServiceAccess 690 | cognitoauthrole 691 | mymplifyroject 692 | eksrole 693 | web_iam_role 694 | MyRoleForThisRule 695 | alexa_skill_role 696 | ECS_PROD_Allow_SSM_Access 697 | default_ecs_role 698 | rds_enhanced_monitoring 699 | ToolsAcctCodePipelineCloudFormationRole 700 | login 701 | ec2_instance_role 702 | EcsTaskExecutionRole 703 | ECS_DEV_Allow_SSM_Access 704 | lemur_role 705 | buildrole 706 | test-role 707 | RedshiftLoadRole 708 | cd 709 | SKAX_lambda_function 710 | LexChannelPolicy 711 | emr_service_role 712 | shareami 713 | cfndeployrole 714 | hwwt6dm 715 | website 716 | AWSBatchJobRole 717 | common 718 | lambda_invoke_function_assume_apigw_role 719 | qa 720 | offcourse 721 | adminRole 722 | webinstancerole 723 | ec2iamrole 724 | handleRequestMethodLambdaRole 725 | ApiGatewayInvokeLambdaRole 726 | beta1 727 | serverrole 728 | ApplicationAutoscalingECSRole 729 | arn 730 | Dev 731 | ecs_events 732 | panther 733 | ECSTaskDefinitionRole 734 | bootstrap 735 | shib 736 | amplifynotetaker 737 | lambda_exec_lambda 738 | ecs_tasks_execution_role 739 | terraform-eks-node 740 | vue 741 | CloudFormationServiceRole 742 | stack 743 | lambda_advanced_execution 744 | a204309 745 | AmazonRDSDirectoryServiceAccess 746 | iam_code_build_role 747 | group 748 | development 749 | amplifynotes 750 | iam_for_app 751 | flow_log_role 752 | DynamoDBAutoscaleRole 753 | VATAdmin 754 | eucalyptus/AccountAdministrator 755 | front 756 | SSM 757 | meeter_dynamo_auto_scaling 758 | reporting 759 | WildRydesLambda 760 | AmazonLexBotPolicy 761 | up93vyv 762 | s3accessrole 763 | AmazonRekognitionServiceRole 764 | snowball 765 | aviatrix-role-app 766 | LambdaExecRole 767 | iaws 768 | amplifytestapp 769 | Processor 770 | infrastructure 771 | cloudcustodian 772 | aviatrix-role-ec2 773 | cljs 774 | redshift_role 775 | elasticbeanstalk-service-role 776 | s3_readonly 777 | firehose_test_role 778 | worker-node-role 779 | releases 780 | functionbeat 781 | logrole 782 | approle 783 | StepFunctionsWorkflowExecutionRole 784 | dlm_lifecycle_role 785 | wooo 786 | etcd 787 | learnjs_lambda_exec 788 | AWSOpsWorksRole 789 | serverlessrepo 790 | server 791 | fleet 792 | TextractRole 793 | eks_cluster_role 794 | codeguru 795 | SSMAutomationRole 796 | amplifywebapp 797 | app1 798 | cis 799 | expn 800 | crawsExecution 801 | update_role 802 | task_execution_role 803 | ga 804 | iam_for_terraform_lambda 805 | ptfe 806 | federate 807 | AdministratorRole 808 | dwhadmin 809 | SEOUL 810 | eucalyptus/ResourceAdministrator 811 | UpdateApp 812 | DCEPrincipal 813 | dae_from_support 814 | hkbbk_Lambda_Execution_Role 815 | MaintenanceWindows 816 | unauthenticated 817 | SpekeAccess 818 | spring2017Dynamodb 819 | instancepatchingrole 820 | maintenancewindowrole 821 | madori_lambda_role 822 | unittest_qftuxk_lambda 823 | fms 824 | lambdaMyCouncil 825 | EksWorkshopCodeBuildKubectlRole 826 | AWSCodePipelineRole 827 | batchservicerole 828 | assume_role 829 | RoleNameToAssume 830 | cms 831 | Spinnaker 832 | environment/cookbook 833 | AWSDataLifecycleManagerServiceRole 834 | hc/readrole 835 | lambda-sns-execution-role 836 | datadog 837 | myLambdaRole 838 | node_role 839 | MLOps 840 | sls 841 | CrossRegionReplicationRoleForS3 842 | container_instance_ec2 843 | Rekognition 844 | app-ec2-role 845 | ecstaskrole 846 | lambda_execution 847 | terraform-eks-cluster 848 | mgmt 849 | Alexa 850 | LambdaBasicExecution 851 | eks-cluster-role 852 | OpeAdminRole 853 | ExpandedRole 854 | Prod 855 | web_role 856 | expoamplify 857 | LambdaAutomationRolealldev 858 | path 859 | backend 860 | SCEC2LaunchRole 861 | AWSTransferLoggingAccess 862 | AdministratorAccess 863 | ecs-consul-server-role 864 | roger 865 | airflow 866 | lambdafull 867 | mdg 868 | index 869 | learnjs_cognito_authenticated 870 | cy 871 | image 872 | myRoleName 873 | SuperRole 874 | rol 875 | webserver 876 | releases/latest 877 | user/STS 878 | eucalyptus/InfrastructureAdministrator 879 | WebServerIAMRole 880 | apigw01 881 | api_role 882 | api_gateway_auth_invocation 883 | 3 884 | trustedadvisor 885 | ecs-service-role-test 886 | target 887 | checkhosting 888 | RekognitionRole 889 | role3 890 | describehealthrole 891 | invokeLambdaStepFunctionsRole 892 | anotherStepFunctionsRole 893 | csu311role 894 | cli 895 | foobie 896 | capstone 897 | CrossAccountReader 898 | EC2-IAM-Role 899 | ecs_lb_role 900 | amplifyjsapp 901 | emrclusterservicerole 902 | emrclusterinstanceprofilerole 903 | SNPFinderDeploy 904 | Foo 905 | xxxxx 906 | LambdaBasicExecutionRole 907 | PantherCloudFormationStackSetExecutionRole 908 | dms-vpc-role 909 | rds-enhanced-monitoring 910 | NeptuneLoadFromS3 911 | ToolsAcctCodePipelineCodeCommitRole 912 | send 913 | lambda-iam-role 914 | LambdaPhpExample 915 | itsre 916 | k8s-master 917 | lambda_elasticsearch_execution 918 | Cloud_Custodian_Role 919 | PantherAuditRole 920 | lambdaservicerole 921 | configrole 922 | eks_cluster 923 | therole 924 | lambdaexecrole 925 | eks-node-role 926 | lambda_s3 927 | system/jenkins 928 | openvpn 929 | admins 930 | scalingrole 931 | GiantSwarmAdmin 932 | assumed 933 | ecs-service 934 | security 935 | dynamoDB 936 | TDRJenkinsNodeLambdaRole 937 | S3extrenalAcess 938 | TeamRole/MasterRole 939 | DatadogAWSIntegrationRole 940 | openshift-instance-role 941 | AWSIoTDeviceDefenderAudit 942 | notes 943 | deploy_role 944 | LambdaTest 945 | hackathon 946 | CrossAccountManager 947 | StepFunctions 948 | CN 949 | ReadOnlyRole 950 | DevSecOpsAdminRolePolicy 951 | LambdaEKSAdminRole 952 | prometheus 953 | cloud_custodian 954 | AmazonECSServiceRolePolicy 955 | SudokuMultiplayerLambda 956 | MyExistingRole 957 | replicator 958 | lambda_dynamodb_role 959 | sam_role 960 | vpc 961 | NucleatorAgent 962 | ecsAutoscaleRoles 963 | codebuild-role- 964 | MoveThingsToQuarantineGroupRole 965 | MyOtherRole 966 | 1S 967 | spin_role 968 | root_joshua 969 | CodePipelineRole 970 | tiler_lambda_function 971 | vueserverlessproject 972 | testregion 973 | scraper_lambda 974 | reactauth 975 | temp 976 | AmazonApiGatewayPushToCloudWatchLogs 977 | redshiftcopy 978 | ITAdmin 979 | xaccounts3access/s3 980 | application 981 | Cloudcustodian 982 | f3e92392 983 | LambdaFullAccessRole 984 | rdbms 985 | gitlab_runner 986 | consul-instance-role 987 | MySpectrumRole 988 | instance_profile 989 | iam-role 990 | dlm-lifecycle-role 991 | offline 992 | CISPublisherRole 993 | myfunctionforbatchingexamplerole 994 | LBH_Lambda_Execution 995 | issues 996 | EKSRole 997 | bax 998 | unittest_paqzni_lambda 999 | unittest_lcmtzj_lambda 1000 | unittest_ttmtxe_lambda 1001 | dockercloud 1002 | ecs_service_autoscale 1003 | unittest_aznzkg_lambda 1004 | 1s_tear_down_role 1005 | amplifytest 1006 | usersgrouprole 1007 | adminsgrouprole 1008 | cerberus 1009 | fake 1010 | fsx 1011 | CWLtoKinesisFirehoseRole 1012 | ecs/ecs_lb_role 1013 | pcf_admin_role 1014 | unittest_rseouo_lambda 1015 | AWSSupportServiceRolePolicy 1016 | poc 1017 | bootstrap_role 1018 | appbuildrole 1019 | unittest_imccys_lambda 1020 | owner 1021 | unittest_zjyenf_lambda 1022 | CognitoCloudWatchLogsRole 1023 | qls 1024 | SAMLPrincipal 1025 | SAMLRole 1026 | icki 1027 | AWSQuicksightAthenaAccess 1028 | CodePipeline 1029 | DevSpinnakerManaged 1030 | ecsCodeDeployRole 1031 | s3role 1032 | authenticateduserrole 1033 | CodeDeployDemoRole 1034 | codepipelineservicerole 1035 | EMR_AutoScaling_DefaultRole 1036 | apigatewayrole 1037 | explicithello1role 1038 | helm_secrets 1039 | explicithello2role 1040 | implicithello1role 1041 | OtherApiGatewayLogger 1042 | ap 1043 | My 1044 | GPSEC 1045 | service-role/lambdaiamrole 1046 | destinationrole 1047 | implicitapifunction2role 1048 | core 1049 | passfunctionrole 1050 | emr_ec2_instance_profile 1051 | ECS_Service_SSLCerts_RO 1052 | ec2s3role 1053 | dynamo 1054 | OrganizationAccountAccessRole 1055 | beanstalk-ec2-role 1056 | switch 1057 | PIPELINEDEV_eu 1058 | worker-node 1059 | cluster-iam-role 1060 | nomad 1061 | r 1062 | iam_ecs_service_role 1063 | unauthenticateduserrole 1064 | publish 1065 | implicithello2role 1066 | ec2scheduled 1067 | SNS_Role 1068 | iam_codepipeline_role 1069 | CloudFormation 1070 | ilab 1071 | onica 1072 | custom 1073 | CloudFormationDeployRole 1074 | MySiteWiseMonitorServiceRole 1075 | build_role 1076 | AWSSupport 1077 | DynamoDBFullAccess 1078 | ecs_elb 1079 | car_app 1080 | dtss_audit_role 1081 | LambdaS3 1082 | prd 1083 | kubectl 1084 | ami 1085 | lambda_s3_access 1086 | SampleLambdaRole 1087 | ecs-ec2-role-test 1088 | Cognito_DynamoPoolUnauthorized 1089 | crossaccountrole 1090 | azul 1091 | proxy 1092 | pets 1093 | Lambda_Execution_Role 1094 | testapp 1095 | IepTest 1096 | sc 1097 | AWSOpsWorksCMServiceRole 1098 | basicLamdba 1099 | MediaConnect 1100 | SC 1101 | sirius 1102 | iam_role_lambda 1103 | TejaswiRole 1104 | AWSCodeBuild 1105 | elasticmapreduce 1106 | lambda_full_access 1107 | ARTBBuildToolModularWebAppRole 1108 | LambdaEC2Access 1109 | logstash 1110 | rcloudtrailrole 1111 | LambdaS3Role 1112 | placeholder 1113 | CCustodianLambda 1114 | eksClusterRole 1115 | cpco 1116 | lambda_test_role 1117 | MW 1118 | management 1119 | twitter 1120 | rolename1 1121 | lamdba 1122 | aviatrixroleec2 1123 | aviatrixroleapp 1124 | RedshiftRole 1125 | Hello 1126 | cosmos_role 1127 | external_dns_pod_role 1128 | idt 1129 | agent_role 1130 | lambda_api_dynamo 1131 | cartographerapilambdarole 1132 | masters-minimal-example-com 1133 | nodes-minimal-example-com 1134 | CustodianGuardDuty 1135 | update 1136 | nodes-minimal-141-example-com 1137 | ec2_s3_access_role 1138 | instance/ec2 1139 | replication_role 1140 | XXXX 1141 | TheSnapshotRole 1142 | myfakerole 1143 | masters-minimal-141-example-com 1144 | flow_log 1145 | AWSDeepLensLambdaRole 1146 | masters-sharedsubnet-example-com 1147 | cfnRole 1148 | nodes-sharedsubnet-example-com 1149 | DAXServiceRoleForDynamoDBAccess 1150 | masters-sharedvpc-example-com 1151 | nodes-sharedvpc-example-com 1152 | Admins 1153 | DevRole 1154 | svc-role 1155 | btpcsn_iam_role 1156 | Rackspace 1157 | iam_for_lambda_tf 1158 | DBA 1159 | ecs-elb 1160 | mplifypp 1161 | dns 1162 | MoonMail 1163 | cwn 1164 | UpdateAPP 1165 | elk 1166 | deliveryrole 1167 | secret 1168 | MyTestFunction 1169 | control 1170 | awsamplifyvue 1171 | super 1172 | ansible-role 1173 | OrganizationUnitManagerRole 1174 | zappa 1175 | CrossAccountCloudFormation 1176 | lambda_callsheet 1177 | awslambdarole 1178 | photoalbumsLambdaRole91d2faf3 1179 | WfmOutboundConsumerRole 1180 | CrossAccountCodePipeline 1181 | eu 1182 | CrossAccountPipelineViewers 1183 | Engineering_role 1184 | TSI_Base_EventBusHandlerRole 1185 | AmazonEC2RoleForSSM 1186 | consoleAccessAdministrator 1187 | core_app_monitor 1188 | AWSGlueServiceRoleDefault 1189 | gateway_invoke_lambda 1190 | settlers 1191 | EksCodeBuildkubectlRole 1192 | GiantSwarmAWSOperator 1193 | cognito_authenticated 1194 | flowlogrole 1195 | facebook 1196 | beanstalk-service-role 1197 | DynamoDBFullLambdaAccess 1198 | RoleToBeAssumed -------------------------------------------------------------------------------- /config_dir/userlist.txt: -------------------------------------------------------------------------------- 1 | james 2 | john 3 | robert 4 | michael 5 | william 6 | david 7 | richard 8 | charles 9 | joseph 10 | thomas 11 | christopher 12 | daniel 13 | paul 14 | mark 15 | donald 16 | george 17 | kenneth 18 | steven 19 | edward 20 | brian 21 | ronald 22 | anthony 23 | kevin 24 | jason 25 | matthew 26 | gary 27 | timothy 28 | jose 29 | larry 30 | jeffrey 31 | frank 32 | scott 33 | eric 34 | stephen 35 | andrew 36 | raymond 37 | gregory 38 | joshua 39 | jerry 40 | dennis 41 | walter 42 | patrick 43 | peter 44 | harold 45 | douglas 46 | henry 47 | carl 48 | arthur 49 | ryan 50 | roger 51 | joe 52 | juan 53 | jack 54 | albert 55 | jonathan 56 | justin 57 | terry 58 | gerald 59 | keith 60 | samuel 61 | willie 62 | ralph 63 | lawrence 64 | nicholas 65 | roy 66 | benjamin 67 | bruce 68 | brandon 69 | adam 70 | harry 71 | fred 72 | wayne 73 | billy 74 | steve 75 | louis 76 | jeremy 77 | aaron 78 | randy 79 | howard 80 | eugene 81 | carlos 82 | russell 83 | bobby 84 | victor 85 | martin 86 | ernest 87 | phillip 88 | todd 89 | jesse 90 | craig 91 | alan 92 | shawn 93 | clarence 94 | sean 95 | philip 96 | chris 97 | johnny 98 | earl 99 | jimmy 100 | antonio 101 | danny 102 | bryan 103 | tony 104 | luis 105 | mike 106 | stanley 107 | leonard 108 | nathan 109 | dale 110 | manuel 111 | rodney 112 | curtis 113 | norman 114 | allen 115 | marvin 116 | vincent 117 | glenn 118 | jeffery 119 | travis 120 | jeff 121 | chad 122 | jacob 123 | lee 124 | melvin 125 | alfred 126 | kyle 127 | francis 128 | bradley 129 | jesus 130 | herbert 131 | frederick 132 | ray 133 | joel 134 | edwin 135 | don 136 | eddie 137 | ricky 138 | troy 139 | randall 140 | barry 141 | alexander 142 | bernard 143 | mario 144 | leroy 145 | francisco 146 | marcus 147 | micheal 148 | theodore 149 | clifford 150 | miguel 151 | oscar 152 | jay 153 | jim 154 | tom 155 | calvin 156 | alex 157 | jon 158 | ronnie 159 | bill 160 | lloyd 161 | tommy 162 | leon 163 | derek 164 | warren 165 | darrell 166 | jerome 167 | floyd 168 | leo 169 | alvin 170 | tim 171 | wesley 172 | gordon 173 | dean 174 | greg 175 | jorge 176 | dustin 177 | pedro 178 | derrick 179 | dan 180 | lewis 181 | zachary 182 | corey 183 | herman 184 | maurice 185 | vernon 186 | roberto 187 | clyde 188 | glen 189 | hector 190 | shane 191 | ricardo 192 | sam 193 | rick 194 | lester 195 | brent 196 | ramon 197 | charlie 198 | tyler 199 | gilbert 200 | gene 201 | marc 202 | reginald 203 | ruben 204 | brett 205 | angel 206 | nathaniel 207 | rafael 208 | leslie 209 | edgar 210 | milton 211 | raul 212 | ben 213 | chester 214 | cecil 215 | duane 216 | franklin 217 | andre 218 | elmer 219 | brad 220 | gabriel 221 | ron 222 | mitchell 223 | roland 224 | arnold 225 | harvey 226 | jared 227 | adrian 228 | karl 229 | cory 230 | claude 231 | erik 232 | darryl 233 | jamie 234 | neil 235 | jessie 236 | christian 237 | javier 238 | fernando 239 | clinton 240 | ted 241 | mathew 242 | tyrone 243 | darren 244 | lonnie 245 | lance 246 | cody 247 | julio 248 | kelly 249 | kurt 250 | allan 251 | nelson 252 | guy 253 | clayton 254 | hugh 255 | max 256 | dwayne 257 | dwight 258 | armando 259 | felix 260 | jimmie 261 | everett 262 | jordan 263 | ian 264 | wallace 265 | ken 266 | bob 267 | jaime 268 | casey 269 | alfredo 270 | alberto 271 | dave 272 | ivan 273 | johnnie 274 | sidney 275 | byron 276 | julian 277 | isaac 278 | morris 279 | clifton 280 | willard 281 | daryl 282 | ross 283 | virgil 284 | andy 285 | marshall 286 | salvador 287 | perry 288 | kirk 289 | sergio 290 | marion 291 | tracy 292 | seth 293 | kent 294 | terrance 295 | rene 296 | eduardo 297 | terrence 298 | enrique 299 | freddie 300 | wade 301 | austin 302 | stuart 303 | fredrick 304 | arturo 305 | alejandro 306 | jackie 307 | joey 308 | nick 309 | luther 310 | wendell 311 | jeremiah 312 | evan 313 | julius 314 | dana 315 | donnie 316 | otis 317 | shannon 318 | trevor 319 | oliver 320 | luke 321 | homer 322 | gerard 323 | doug 324 | kenny 325 | hubert 326 | angelo 327 | shaun 328 | lyle 329 | matt 330 | lynn 331 | alfonso 332 | orlando 333 | rex 334 | carlton 335 | ernesto 336 | cameron 337 | neal 338 | pablo 339 | lorenzo 340 | omar 341 | wilbur 342 | blake 343 | grant 344 | horace 345 | roderick 346 | kerry 347 | abraham 348 | willis 349 | rickey 350 | jean 351 | ira 352 | andres 353 | cesar 354 | johnathan 355 | malcolm 356 | rudolph 357 | damon 358 | kelvin 359 | rudy 360 | preston 361 | alton 362 | archie 363 | marco 364 | wm 365 | pete 366 | randolph 367 | garry 368 | geoffrey 369 | jonathon 370 | felipe 371 | bennie 372 | gerardo 373 | ed 374 | dominic 375 | robin 376 | loren 377 | delbert 378 | colin 379 | guillermo 380 | earnest 381 | lucas 382 | benny 383 | noel 384 | spencer 385 | rodolfo 386 | myron 387 | edmund 388 | garrett 389 | salvatore 390 | cedric 391 | lowell 392 | gregg 393 | sherman 394 | wilson 395 | devin 396 | sylvester 397 | kim 398 | roosevelt 399 | israel 400 | jermaine 401 | forrest 402 | wilbert 403 | leland 404 | simon 405 | guadalupe 406 | clark 407 | irving 408 | carroll 409 | bryant 410 | owen 411 | rufus 412 | woodrow 413 | sammy 414 | kristopher 415 | mack 416 | levi 417 | marcos 418 | gustavo 419 | jake 420 | lionel 421 | marty 422 | taylor 423 | ellis 424 | dallas 425 | gilberto 426 | clint 427 | nicolas 428 | laurence 429 | ismael 430 | orville 431 | drew 432 | jody 433 | ervin 434 | dewey 435 | al 436 | wilfred 437 | josh 438 | hugo 439 | ignacio 440 | caleb 441 | tomas 442 | sheldon 443 | erick 444 | frankie 445 | stewart 446 | doyle 447 | darrel 448 | rogelio 449 | terence 450 | santiago 451 | alonzo 452 | elias 453 | bert 454 | elbert 455 | ramiro 456 | conrad 457 | pat 458 | noah 459 | grady 460 | phil 461 | cornelius 462 | lamar 463 | rolando 464 | clay 465 | percy 466 | dexter 467 | bradford 468 | merle 469 | darin 470 | amos 471 | terrell 472 | moses 473 | irvin 474 | saul 475 | roman 476 | darnell 477 | randal 478 | tommie 479 | timmy 480 | darrin 481 | winston 482 | brendan 483 | toby 484 | van 485 | abel 486 | dominick 487 | boyd 488 | courtney 489 | jan 490 | emilio 491 | elijah 492 | cary 493 | domingo 494 | santos 495 | aubrey 496 | emmett 497 | marlon 498 | emanuel 499 | jerald 500 | edmond 501 | emil 502 | dewayne 503 | will 504 | otto 505 | teddy 506 | reynaldo 507 | bret 508 | morgan 509 | jess 510 | trent 511 | humberto 512 | emmanuel 513 | stephan 514 | louie 515 | vicente 516 | lamont 517 | stacy 518 | garland 519 | miles 520 | micah 521 | efrain 522 | billie 523 | logan 524 | heath 525 | rodger 526 | harley 527 | demetrius 528 | ethan 529 | eldon 530 | rocky 531 | pierre 532 | junior 533 | freddy 534 | eli 535 | bryce 536 | antoine 537 | robbie 538 | kendall 539 | royce 540 | sterling 541 | mickey 542 | chase 543 | grover 544 | elton 545 | cleveland 546 | dylan 547 | chuck 548 | damian 549 | reuben 550 | stan 551 | august 552 | leonardo 553 | jasper 554 | russel 555 | erwin 556 | benito 557 | hans 558 | monte 559 | blaine 560 | ernie 561 | curt 562 | quentin 563 | agustin 564 | murray 565 | jamal 566 | devon 567 | adolfo 568 | harrison 569 | tyson 570 | burton 571 | brady 572 | elliott 573 | wilfredo 574 | bart 575 | jarrod 576 | vance 577 | denis 578 | damien 579 | joaquin 580 | harlan 581 | desmond 582 | elliot 583 | darwin 584 | ashley 585 | gregorio 586 | buddy 587 | xavier 588 | kermit 589 | roscoe 590 | esteban 591 | anton 592 | solomon 593 | scotty 594 | norbert 595 | elvin 596 | williams 597 | nolan 598 | carey 599 | rod 600 | quinton 601 | hal 602 | brain 603 | rob 604 | elwood 605 | kendrick 606 | darius 607 | moises 608 | son 609 | marlin 610 | fidel 611 | thaddeus 612 | cliff 613 | marcel 614 | ali 615 | jackson 616 | raphael 617 | bryon 618 | armand 619 | alvaro 620 | jeffry 621 | dane 622 | joesph 623 | thurman 624 | ned 625 | sammie 626 | rusty 627 | michel 628 | monty 629 | rory 630 | fabian 631 | reggie 632 | mason 633 | graham 634 | kris 635 | isaiah 636 | vaughn 637 | gus 638 | avery 639 | loyd 640 | diego 641 | alexis 642 | adolph 643 | norris 644 | millard 645 | rocco 646 | gonzalo 647 | derick 648 | rodrigo 649 | gerry 650 | stacey 651 | carmen 652 | wiley 653 | rigoberto 654 | alphonso 655 | ty 656 | shelby 657 | rickie 658 | noe 659 | vern 660 | bobbie 661 | reed 662 | jefferson 663 | elvis 664 | bernardo 665 | mauricio 666 | hiram 667 | donovan 668 | basil 669 | riley 670 | ollie 671 | nickolas 672 | maynard 673 | scot 674 | vince 675 | quincy 676 | eddy 677 | sebastian 678 | federico 679 | ulysses 680 | heriberto 681 | donnell 682 | cole 683 | denny 684 | davis 685 | gavin 686 | emery 687 | ward 688 | romeo 689 | jayson 690 | dion 691 | dante 692 | clement 693 | coy 694 | odell 695 | maxwell 696 | jarvis 697 | bruno 698 | issac 699 | mary 700 | dudley 701 | brock 702 | sanford 703 | colby 704 | carmelo 705 | barney 706 | nestor 707 | hollis 708 | stefan 709 | donny 710 | art 711 | linwood 712 | beau 713 | weldon 714 | galen 715 | isidro 716 | truman 717 | delmar 718 | johnathon 719 | silas 720 | frederic 721 | dick 722 | kirby 723 | irwin 724 | cruz 725 | merlin 726 | merrill 727 | charley 728 | marcelino 729 | lane 730 | harris 731 | cleo 732 | carlo 733 | trenton 734 | kurtis 735 | hunter 736 | aurelio 737 | winfred 738 | vito 739 | collin 740 | denver 741 | carter 742 | leonel 743 | emory 744 | pasquale 745 | mohammad 746 | mariano 747 | danial 748 | blair 749 | landon 750 | dirk 751 | branden 752 | adan 753 | numbers 754 | clair 755 | buford 756 | german 757 | bernie 758 | wilmer 759 | joan 760 | emerson 761 | zachery 762 | fletcher 763 | jacques 764 | errol 765 | dalton 766 | monroe 767 | josue 768 | dominique 769 | edwardo 770 | booker 771 | wilford 772 | sonny 773 | shelton 774 | carson 775 | theron 776 | raymundo 777 | daren 778 | tristan 779 | houston 780 | robby 781 | lincoln 782 | jame 783 | genaro 784 | gale 785 | bennett 786 | octavio 787 | cornell 788 | laverne 789 | hung 790 | arron 791 | antony 792 | herschel 793 | alva 794 | giovanni 795 | garth 796 | cyrus 797 | cyril 798 | ronny 799 | stevie 800 | lon 801 | freeman 802 | erin 803 | duncan 804 | kennith 805 | carmine 806 | augustine 807 | young 808 | erich 809 | chadwick 810 | wilburn 811 | russ 812 | reid 813 | myles 814 | anderson 815 | morton 816 | jonas 817 | forest 818 | mitchel 819 | mervin 820 | zane 821 | rich 822 | jamel 823 | lazaro 824 | alphonse 825 | randell 826 | major 827 | johnie 828 | jarrett 829 | brooks 830 | ariel 831 | abdul 832 | dusty 833 | luciano 834 | lindsey 835 | tracey 836 | seymour 837 | scottie 838 | eugenio 839 | mohammed 840 | sandy 841 | valentin 842 | chance 843 | arnulfo 844 | lucien 845 | ferdinand 846 | thad 847 | ezra 848 | sydney 849 | aldo 850 | rubin 851 | royal 852 | mitch 853 | earle 854 | abe 855 | wyatt 856 | marquis 857 | lanny 858 | kareem 859 | jamar 860 | boris 861 | isiah 862 | emile 863 | elmo 864 | aron 865 | leopoldo 866 | everette 867 | josef 868 | gail 869 | eloy 870 | dorian 871 | rodrick 872 | reinaldo 873 | lucio 874 | jerrod 875 | weston 876 | hershel 877 | barton 878 | parker 879 | lemuel 880 | lavern 881 | burt 882 | jules 883 | gil 884 | eliseo 885 | ahmad 886 | nigel 887 | efren 888 | antwan 889 | alden 890 | margarito 891 | coleman 892 | refugio 893 | dino 894 | osvaldo 895 | les 896 | deandre 897 | normand 898 | kieth 899 | ivory 900 | andrea 901 | trey 902 | norberto 903 | napoleon 904 | jerold 905 | fritz 906 | rosendo 907 | milford 908 | sang 909 | deon 910 | christoper 911 | alfonzo 912 | lyman 913 | josiah 914 | brant 915 | wilton 916 | rico 917 | jamaal 918 | dewitt 919 | carol 920 | brenton 921 | yong 922 | olin 923 | foster 924 | faustino 925 | claudio 926 | judson 927 | gino 928 | edgardo 929 | berry 930 | alec 931 | tanner 932 | jarred 933 | donn 934 | trinidad 935 | tad 936 | shirley 937 | prince 938 | porfirio 939 | odis 940 | maria 941 | lenard 942 | chauncey 943 | chang 944 | tod 945 | mel 946 | marcelo 947 | kory 948 | augustus 949 | keven 950 | hilario 951 | bud 952 | sal 953 | rosario 954 | orval 955 | mauro 956 | dannie 957 | zachariah 958 | olen 959 | anibal 960 | milo 961 | jed 962 | frances 963 | thanh 964 | dillon 965 | amado 966 | newton 967 | connie 968 | lenny 969 | tory 970 | richie 971 | lupe 972 | horacio 973 | brice 974 | mohamed 975 | delmer 976 | dario 977 | reyes 978 | dee 979 | mac 980 | jonah 981 | jerrold 982 | robt 983 | hank 984 | sung 985 | rupert 986 | rolland 987 | kenton 988 | damion 989 | chi 990 | antone 991 | waldo 992 | fredric 993 | bradly 994 | quinn 995 | kip 996 | burl 997 | walker 998 | tyree 999 | jefferey 1000 | ahmed 1001 | mary 1002 | patricia 1003 | linda 1004 | barbara 1005 | elizabeth 1006 | jennifer 1007 | maria 1008 | susan 1009 | margaret 1010 | dorothy 1011 | lisa 1012 | nancy 1013 | karen 1014 | betty 1015 | helen 1016 | sandra 1017 | donna 1018 | carol 1019 | ruth 1020 | sharon 1021 | michelle 1022 | laura 1023 | sarah 1024 | kimberly 1025 | deborah 1026 | jessica 1027 | shirley 1028 | cynthia 1029 | angela 1030 | melissa 1031 | brenda 1032 | amy 1033 | anna 1034 | rebecca 1035 | virginia 1036 | kathleen 1037 | pamela 1038 | martha 1039 | debra 1040 | amanda 1041 | stephanie 1042 | carolyn 1043 | christine 1044 | marie 1045 | janet 1046 | catherine 1047 | frances 1048 | ann 1049 | joyce 1050 | diane 1051 | alice 1052 | julie 1053 | heather 1054 | teresa 1055 | doris 1056 | gloria 1057 | evelyn 1058 | jean 1059 | cheryl 1060 | mildred 1061 | katherine 1062 | joan 1063 | ashley 1064 | judith 1065 | rose 1066 | janice 1067 | kelly 1068 | nicole 1069 | judy 1070 | christina 1071 | kathy 1072 | theresa 1073 | beverly 1074 | denise 1075 | tammy 1076 | irene 1077 | jane 1078 | lori 1079 | rachel 1080 | marilyn 1081 | andrea 1082 | kathryn 1083 | louise 1084 | sara 1085 | anne 1086 | jacqueline 1087 | wanda 1088 | bonnie 1089 | julia 1090 | ruby 1091 | lois 1092 | tina 1093 | phyllis 1094 | norma 1095 | paula 1096 | diana 1097 | annie 1098 | lillian 1099 | emily 1100 | robin 1101 | peggy 1102 | crystal 1103 | gladys 1104 | rita 1105 | dawn 1106 | connie 1107 | florence 1108 | tracy 1109 | edna 1110 | tiffany 1111 | carmen 1112 | rosa 1113 | cindy 1114 | grace 1115 | wendy 1116 | victoria 1117 | edith 1118 | kim 1119 | sherry 1120 | sylvia 1121 | josephine 1122 | thelma 1123 | shannon 1124 | sheila 1125 | ethel 1126 | ellen 1127 | elaine 1128 | marjorie 1129 | carrie 1130 | charlotte 1131 | monica 1132 | esther 1133 | pauline 1134 | emma 1135 | juanita 1136 | anita 1137 | rhonda 1138 | hazel 1139 | amber 1140 | eva 1141 | debbie 1142 | april 1143 | leslie 1144 | clara 1145 | lucille 1146 | jamie 1147 | joanne 1148 | eleanor 1149 | valerie 1150 | danielle 1151 | megan 1152 | alicia 1153 | suzanne 1154 | michele 1155 | gail 1156 | bertha 1157 | darlene 1158 | veronica 1159 | jill 1160 | erin 1161 | geraldine 1162 | lauren 1163 | cathy 1164 | joann 1165 | lorraine 1166 | lynn 1167 | sally 1168 | regina 1169 | erica 1170 | beatrice 1171 | dolores 1172 | bernice 1173 | audrey 1174 | yvonne 1175 | annette 1176 | june 1177 | samantha 1178 | marion 1179 | dana 1180 | stacy 1181 | ana 1182 | renee 1183 | ida 1184 | vivian 1185 | roberta 1186 | holly 1187 | brittany 1188 | melanie 1189 | loretta 1190 | yolanda 1191 | jeanette 1192 | laurie 1193 | katie 1194 | kristen 1195 | vanessa 1196 | alma 1197 | sue 1198 | elsie 1199 | beth 1200 | jeanne 1201 | vicki 1202 | carla 1203 | tara 1204 | rosemary 1205 | eileen 1206 | terri 1207 | gertrude 1208 | lucy 1209 | tonya 1210 | ella 1211 | stacey 1212 | wilma 1213 | gina 1214 | kristin 1215 | jessie 1216 | natalie 1217 | agnes 1218 | vera 1219 | willie 1220 | charlene 1221 | bessie 1222 | delores 1223 | melinda 1224 | pearl 1225 | arlene 1226 | maureen 1227 | colleen 1228 | allison 1229 | tamara 1230 | joy 1231 | georgia 1232 | constance 1233 | lillie 1234 | claudia 1235 | jackie 1236 | marcia 1237 | tanya 1238 | nellie 1239 | minnie 1240 | marlene 1241 | heidi 1242 | glenda 1243 | lydia 1244 | viola 1245 | courtney 1246 | marian 1247 | stella 1248 | caroline 1249 | dora 1250 | jo 1251 | vickie 1252 | mattie 1253 | terry 1254 | maxine 1255 | irma 1256 | mabel 1257 | marsha 1258 | myrtle 1259 | lena 1260 | christy 1261 | deanna 1262 | patsy 1263 | hilda 1264 | gwendolyn 1265 | jennie 1266 | nora 1267 | margie 1268 | nina 1269 | cassandra 1270 | leah 1271 | penny 1272 | kay 1273 | priscilla 1274 | naomi 1275 | carole 1276 | brandy 1277 | olga 1278 | billie 1279 | dianne 1280 | tracey 1281 | leona 1282 | jenny 1283 | felicia 1284 | sonia 1285 | miriam 1286 | velma 1287 | becky 1288 | bobbie 1289 | violet 1290 | kristina 1291 | toni 1292 | misty 1293 | mae 1294 | shelly 1295 | daisy 1296 | ramona 1297 | sherri 1298 | erika 1299 | katrina 1300 | claire 1301 | lindsey 1302 | lindsay 1303 | geneva 1304 | guadalupe 1305 | belinda 1306 | margarita 1307 | sheryl 1308 | cora 1309 | faye 1310 | ada 1311 | natasha 1312 | sabrina 1313 | isabel 1314 | marguerite 1315 | hattie 1316 | harriet 1317 | molly 1318 | cecilia 1319 | kristi 1320 | brandi 1321 | blanche 1322 | sandy 1323 | rosie 1324 | joanna 1325 | iris 1326 | eunice 1327 | angie 1328 | inez 1329 | lynda 1330 | madeline 1331 | amelia 1332 | alberta 1333 | genevieve 1334 | monique 1335 | jodi 1336 | janie 1337 | maggie 1338 | kayla 1339 | sonya 1340 | jan 1341 | lee 1342 | kristine 1343 | candace 1344 | fannie 1345 | maryann 1346 | opal 1347 | alison 1348 | yvette 1349 | melody 1350 | luz 1351 | susie 1352 | olivia 1353 | flora 1354 | shelley 1355 | kristy 1356 | mamie 1357 | lula 1358 | lola 1359 | verna 1360 | beulah 1361 | antoinette 1362 | candice 1363 | juana 1364 | jeannette 1365 | pam 1366 | kelli 1367 | hannah 1368 | whitney 1369 | bridget 1370 | karla 1371 | celia 1372 | latoya 1373 | patty 1374 | shelia 1375 | gayle 1376 | della 1377 | vicky 1378 | lynne 1379 | sheri 1380 | marianne 1381 | kara 1382 | jacquelyn 1383 | erma 1384 | blanca 1385 | myra 1386 | leticia 1387 | pat 1388 | krista 1389 | roxanne 1390 | angelica 1391 | johnnie 1392 | robyn 1393 | francis 1394 | adrienne 1395 | rosalie 1396 | alexandra 1397 | brooke 1398 | bethany 1399 | sadie 1400 | bernadette 1401 | traci 1402 | jody 1403 | kendra 1404 | jasmine 1405 | nichole 1406 | rachael 1407 | chelsea 1408 | mable 1409 | ernestine 1410 | muriel 1411 | marcella 1412 | elena 1413 | krystal 1414 | angelina 1415 | nadine 1416 | kari 1417 | estelle 1418 | dianna 1419 | paulette 1420 | lora 1421 | mona 1422 | doreen 1423 | rosemarie 1424 | angel 1425 | desiree 1426 | antonia 1427 | hope 1428 | ginger 1429 | janis 1430 | betsy 1431 | christie 1432 | freda 1433 | mercedes 1434 | meredith 1435 | lynette 1436 | teri 1437 | cristina 1438 | eula 1439 | leigh 1440 | meghan 1441 | sophia 1442 | eloise 1443 | rochelle 1444 | gretchen 1445 | cecelia 1446 | raquel 1447 | henrietta 1448 | alyssa 1449 | jana 1450 | kelley 1451 | gwen 1452 | kerry 1453 | jenna 1454 | tricia 1455 | laverne 1456 | olive 1457 | alexis 1458 | tasha 1459 | silvia 1460 | elvira 1461 | casey 1462 | delia 1463 | sophie 1464 | kate 1465 | patti 1466 | lorena 1467 | kellie 1468 | sonja 1469 | lila 1470 | lana 1471 | darla 1472 | may 1473 | mindy 1474 | essie 1475 | mandy 1476 | lorene 1477 | elsa 1478 | josefina 1479 | jeannie 1480 | miranda 1481 | dixie 1482 | lucia 1483 | marta 1484 | faith 1485 | lela 1486 | johanna 1487 | shari 1488 | camille 1489 | tami 1490 | shawna 1491 | elisa 1492 | ebony 1493 | melba 1494 | ora 1495 | nettie 1496 | tabitha 1497 | ollie 1498 | jaime 1499 | winifred 1500 | kristie 1501 | marina 1502 | alisha 1503 | aimee 1504 | rena 1505 | myrna 1506 | marla 1507 | tammie 1508 | latasha 1509 | bonita 1510 | patrice 1511 | ronda 1512 | sherrie 1513 | addie 1514 | francine 1515 | deloris 1516 | stacie 1517 | adriana 1518 | cheri 1519 | shelby 1520 | abigail 1521 | celeste 1522 | jewel 1523 | cara 1524 | adele 1525 | rebekah 1526 | lucinda 1527 | dorthy 1528 | chris 1529 | effie 1530 | trina 1531 | reba 1532 | shawn 1533 | sallie 1534 | aurora 1535 | lenora 1536 | etta 1537 | lottie 1538 | kerri 1539 | trisha 1540 | nikki 1541 | estella 1542 | francisca 1543 | josie 1544 | tracie 1545 | marissa 1546 | karin 1547 | brittney 1548 | janelle 1549 | lourdes 1550 | laurel 1551 | helene 1552 | fern 1553 | elva 1554 | corinne 1555 | kelsey 1556 | ina 1557 | bettie 1558 | elisabeth 1559 | aida 1560 | caitlin 1561 | ingrid 1562 | iva 1563 | eugenia 1564 | christa 1565 | goldie 1566 | cassie 1567 | maude 1568 | jenifer 1569 | therese 1570 | frankie 1571 | dena 1572 | lorna 1573 | janette 1574 | latonya 1575 | candy 1576 | morgan 1577 | consuelo 1578 | tamika 1579 | rosetta 1580 | debora 1581 | cherie 1582 | polly 1583 | dina 1584 | jewell 1585 | fay 1586 | jillian 1587 | dorothea 1588 | nell 1589 | trudy 1590 | esperanza 1591 | patrica 1592 | kimberley 1593 | shanna 1594 | helena 1595 | carolina 1596 | cleo 1597 | stefanie 1598 | rosario 1599 | ola 1600 | janine 1601 | mollie 1602 | lupe 1603 | alisa 1604 | lou 1605 | maribel 1606 | susanne 1607 | bette 1608 | susana 1609 | elise 1610 | cecile 1611 | isabelle 1612 | lesley 1613 | jocelyn 1614 | paige 1615 | joni 1616 | rachelle 1617 | leola 1618 | daphne 1619 | alta 1620 | ester 1621 | petra 1622 | graciela 1623 | imogene 1624 | jolene 1625 | keisha 1626 | lacey 1627 | glenna 1628 | gabriela 1629 | keri 1630 | ursula 1631 | lizzie 1632 | kirsten 1633 | shana 1634 | adeline 1635 | mayra 1636 | jayne 1637 | jaclyn 1638 | gracie 1639 | sondra 1640 | carmela 1641 | marisa 1642 | rosalind 1643 | charity 1644 | tonia 1645 | beatriz 1646 | marisol 1647 | clarice 1648 | jeanine 1649 | sheena 1650 | angeline 1651 | frieda 1652 | lily 1653 | robbie 1654 | shauna 1655 | millie 1656 | claudette 1657 | cathleen 1658 | angelia 1659 | gabrielle 1660 | autumn 1661 | katharine 1662 | summer 1663 | jodie 1664 | staci 1665 | lea 1666 | christi 1667 | jimmie 1668 | justine 1669 | elma 1670 | luella 1671 | margret 1672 | dominique 1673 | socorro 1674 | rene 1675 | martina 1676 | margo 1677 | mavis 1678 | callie 1679 | bobbi 1680 | maritza 1681 | lucile 1682 | leanne 1683 | jeannine 1684 | deana 1685 | aileen 1686 | lorie 1687 | ladonna 1688 | willa 1689 | manuela 1690 | gale 1691 | selma 1692 | dolly 1693 | sybil 1694 | abby 1695 | lara 1696 | dale 1697 | ivy 1698 | dee 1699 | winnie 1700 | marcy 1701 | luisa 1702 | jeri 1703 | magdalena 1704 | ofelia 1705 | meagan 1706 | audra 1707 | matilda 1708 | leila 1709 | cornelia 1710 | bianca 1711 | simone 1712 | bettye 1713 | randi 1714 | virgie 1715 | latisha 1716 | barbra 1717 | georgina 1718 | eliza 1719 | leann 1720 | bridgette 1721 | rhoda 1722 | haley 1723 | adela 1724 | nola 1725 | bernadine 1726 | flossie 1727 | ila 1728 | greta 1729 | ruthie 1730 | nelda 1731 | minerva 1732 | lilly 1733 | terrie 1734 | letha 1735 | hilary 1736 | estela 1737 | valarie 1738 | brianna 1739 | rosalyn 1740 | earline 1741 | catalina 1742 | ava 1743 | mia 1744 | clarissa 1745 | lidia 1746 | corrine 1747 | alexandria 1748 | concepcion 1749 | tia 1750 | sharron 1751 | rae 1752 | dona 1753 | ericka 1754 | jami 1755 | elnora 1756 | chandra 1757 | lenore 1758 | neva 1759 | marylou 1760 | melisa 1761 | tabatha 1762 | serena 1763 | avis 1764 | allie 1765 | sofia 1766 | jeanie 1767 | odessa 1768 | nannie 1769 | harriett 1770 | loraine 1771 | penelope 1772 | milagros 1773 | emilia 1774 | benita 1775 | allyson 1776 | ashlee 1777 | tania 1778 | tommie 1779 | esmeralda 1780 | karina 1781 | eve 1782 | pearlie 1783 | zelma 1784 | malinda 1785 | noreen 1786 | tameka 1787 | saundra 1788 | hillary 1789 | amie 1790 | althea 1791 | rosalinda 1792 | jordan 1793 | lilia 1794 | alana 1795 | gay 1796 | clare 1797 | alejandra 1798 | elinor 1799 | michael 1800 | lorrie 1801 | jerri 1802 | darcy 1803 | earnestine 1804 | carmella 1805 | taylor 1806 | noemi 1807 | marcie 1808 | liza 1809 | annabelle 1810 | louisa 1811 | earlene 1812 | mallory 1813 | carlene 1814 | nita 1815 | selena 1816 | tanisha 1817 | katy 1818 | julianne 1819 | john 1820 | lakisha 1821 | edwina 1822 | maricela 1823 | margery 1824 | kenya 1825 | dollie 1826 | roxie 1827 | roslyn 1828 | kathrine 1829 | nanette 1830 | charmaine 1831 | lavonne 1832 | ilene 1833 | kris 1834 | tammi 1835 | suzette 1836 | corine 1837 | kaye 1838 | jerry 1839 | merle 1840 | chrystal 1841 | lina 1842 | deanne 1843 | lilian 1844 | juliana 1845 | aline 1846 | luann 1847 | kasey 1848 | maryanne 1849 | evangeline 1850 | colette 1851 | melva 1852 | lawanda 1853 | yesenia 1854 | nadia 1855 | madge 1856 | kathie 1857 | eddie 1858 | ophelia 1859 | valeria 1860 | nona 1861 | mitzi 1862 | mari 1863 | georgette 1864 | claudine 1865 | fran 1866 | alissa 1867 | roseann 1868 | lakeisha 1869 | susanna 1870 | reva 1871 | deidre 1872 | chasity 1873 | sheree 1874 | carly 1875 | james 1876 | elvia 1877 | alyce 1878 | deirdre 1879 | gena 1880 | briana 1881 | araceli 1882 | katelyn 1883 | rosanne 1884 | wendi 1885 | tessa 1886 | berta 1887 | marva 1888 | imelda 1889 | marietta 1890 | marci 1891 | leonor 1892 | arline 1893 | sasha 1894 | madelyn 1895 | janna 1896 | juliette 1897 | deena 1898 | aurelia 1899 | josefa 1900 | augusta 1901 | liliana 1902 | young 1903 | christian 1904 | lessie 1905 | amalia 1906 | savannah 1907 | anastasia 1908 | vilma 1909 | natalia 1910 | rosella 1911 | lynnette 1912 | corina 1913 | alfreda 1914 | leanna 1915 | carey 1916 | amparo 1917 | coleen 1918 | tamra 1919 | aisha 1920 | wilda 1921 | karyn 1922 | cherry 1923 | queen 1924 | maura 1925 | mai 1926 | evangelina 1927 | rosanna 1928 | hallie 1929 | erna 1930 | enid 1931 | mariana 1932 | lacy 1933 | juliet 1934 | jacklyn 1935 | freida 1936 | madeleine 1937 | mara 1938 | hester 1939 | cathryn 1940 | lelia 1941 | casandra 1942 | bridgett 1943 | angelita 1944 | jannie 1945 | dionne 1946 | annmarie 1947 | katina 1948 | beryl 1949 | phoebe 1950 | millicent 1951 | katheryn 1952 | diann 1953 | carissa 1954 | maryellen 1955 | liz 1956 | lauri 1957 | helga 1958 | gilda 1959 | adrian 1960 | rhea 1961 | marquita 1962 | hollie 1963 | tisha 1964 | tamera 1965 | angelique 1966 | francesca 1967 | britney 1968 | kaitlin 1969 | lolita 1970 | florine 1971 | rowena 1972 | reyna 1973 | twila 1974 | fanny 1975 | janell 1976 | ines 1977 | concetta 1978 | bertie 1979 | alba 1980 | brigitte 1981 | alyson 1982 | vonda 1983 | pansy 1984 | elba 1985 | noelle 1986 | letitia 1987 | kitty 1988 | deann 1989 | brandie 1990 | louella 1991 | leta 1992 | felecia 1993 | sharlene 1994 | lesa 1995 | beverley 1996 | robert 1997 | isabella 1998 | herminia 1999 | terra 2000 | celina --------------------------------------------------------------------------------