Then, just run the tool by running detentiondodger.py:
usage: DetentionDodger [-h] [-p PROFILE]
DetentionDodger is a tool designed to find users whose credentials have been leaked/compromised and the impact they have on the target
options: -h, --help show this help message and exit -p PROFILE, --profile PROFILE The AWS Profile Name to authenticate as. Default is 'default'. The credentials need to have access to iam:ListUsers, iam:ListUserPolicies, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListGroupPolicies, iam:ListAttachedGroupPolicies, cloudtrail:LookupEvents, iam:GetPolicyVersion, iam:GetPolicy
Docker
A Dockerfile is placed inside the main directory of the project. To build the image, inside the main directory of the project run:
docker build -t detentiondodger .
Then run the container with directories output and ~/.aws mounted to host:
DetentionDodger is a tool designed to find users whose credentials have been leaked/compromised and the impact they have on the target
options: -h, --help show this help message and exit -p PROFILE, --profile PROFILE The AWS Profile Name to authenticate as. Default is 'default'. The credentials need to have access to iam:ListUsers, iam:ListUserPolicies, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListGroupPolicies, iam:ListAttachedGroupPolicies, cloudtrail:LookupEvents, iam:GetPolicyVersion, iam:GetPolicy
Use
Finding all quarantied Users
When no user is specified using -u flag, the tool will list all the users and find the ones that either have the Quarantine Policy Attached or attempted to have it attached, by looking at the CloudTrail Logs. Then it will list all the policies them and their groups have and check the privileges based on the scenarios found on the scenarios directory.
Checking specific user
A user can be specified using -u flag. In that case, the check for the Quarantine Policy will not be done and the user will be checked only for the Privileges it has.
