CloudTracker

CloudTracker is designed to identify over-privileged IAM users and roles in AWS environments by analyzing CloudTrail logs and comparing them against current IAM policies. This tool leverages CloudTrail logs, which record API calls made within an AWS account, to identify actual usage of IAM privileges.

Technically, CloudTracker's architecture involves downloading IAM data and CloudTrail logs, then configuring the tool using a config.yaml file that specifies the S3 bucket and path for the logs. It utilizes Amazon Athena for querying the logs, eliminating the need for an ElasticSearch setup, although such an option is still available. The tool requires AWS credentials with appropriate permissions, such as AmazonAthenaFullAccess and s3:GetObject and s3:ListBucket for the S3 bucket containing the logs.

Operationally, CloudTracker is run within an environment with the necessary AWS credentials, and it can list actions performed by users and roles, highlighting which privileges have been used and which can be safely removed. However, it has limitations, such as not capturing data-level actions that are not recorded in CloudTrail, like S3 object access. This means some privileges may appear unused even if they are being utilized in ways not logged by CloudTrail.

In terms of specific technical details, CloudTracker supports a wide range of AWS API actions, as listed in its cloudtrail_supported_actions.txt file, which includes actions from various AWS services like AppMesh, AppStream, and AppSync. The tool provides granular insights into user and role activities, enabling precise privilege management and adherence to the principle of least privilege.