abstractclass / cloudprivs Goto Github PK

Hey there 👋 ! This project looks great. I really appreciate you building a tool for this problem space as some of the current tools available are a bit outdated.

I noticed that you have a comment here

Note: some AWS functions can incur costs when called, I have deny-listed all operations starting with open or purchase to mitigate accidental costs, which appears to be safe in my own testing, but please use this with caution. I don't guarantee you won't accidentally incur costs when calling all these functions (even if it's without arguments)

I'd like to suggest changing the way you block actions from being called. A while back, when I was fuzzing the AWS API, I made the mistake of calling shield:CreateSubscription. This subscribed my AWS account for Shield Advanced which is $3,000 per month (thankfully some kind folks inside AWS were able to resolve this without me paying).

Rather than just denying actions which start with open or purchase, it might be a good idea to allowlist actions that start with Get, List, or Describe (sort of similar to how enumerate-iam does it). This would reduce the number of actions you can check for, but would mitigate a lot of the risk in the event that AWS creates a new service/action that costs money by default (and doesn't fall into the open or purchase category).

Just a suggestion! Thank you again for working on this problem.