find-guardduty-user

Description

find-guardduty-user is used to search CloudTrial to find users that triggered GuardDuty alerts

This script will look up all GuardDuty findings and for each one will pull out the access key, search for that access key in CloudTrail to find the AssumedRole event. That event will then provide the ARN of the role which can be looked up in CloudTrail again to find the username of the person that triggered the event.

Installation

For OSX Homebrew:

brew tap trussworks/tap
brew install find-guardduty-user

Usage

Description
    Easily identify IAM users that have triggered GuardDuty findings.

Usage:
  find-guardduty-user find [flags]

Flags:
  -p    --aws-guardduty-partition string AWS partition ('aws' or 'aws-us-gov') used for inspecting guardduty (default "aws")
  -r    --aws-guardduty-region string   AWS region used for inspecting guardduty (default "us-west-2")
  -a, --archived                      Show archived findings instead of current findings
  -o, --output string                 Whether to print output as 'text' or 'json' (default "text")
  -v, --debug-logging                 log messages at the debug level.
  -h, --help                          help for find

Examples

Run the command like this:

find-guardduty-user find

Run the command in GovCloud like this:

find-guardduty-user find -p aws-us-gov -r us-gov-west-1

Review archived findings:

find-guardduty-user find -a

Look at the output in JSON format:

find-guardduty-user find -o json