Find out which roles/groups or users can perform an action

aws-action-test.py

#
# Recommended use
# python3 aws-action-test.py ec2:create-instance > arns.json
#
# This is pretty slow but I think it hits most main things in AWS
#

import boto3

from sys import argv

BILLING_ACTION = "aws-portal:ModifyAccount"

def get_all(client, func_name, results_key, **kwargs):
  paginator = client.get_paginator(func_name)

  res = []
  for page in paginator.paginate(**kwargs):
    res += page[results_key]

  return res

def get_all_arns():
  res = []

  client = boto3.client('iam')

  users = get_all(client, 'list_users', 'Users')
  res += [u['Arn'] for u in users]

  groups = get_all(client, 'list_groups', 'Groups')
  res += [g['Arn'] for g in groups]

  roles = get_all(client, 'list_roles', 'Roles')
  res += [r['Arn'] for r in roles]

  return res

def main(arns, action):
  res = {
    "allowed":[],
    "implicitDeny":[],
    "explicitDeny":[],
  }

  client = boto3.client('iam')

  for test_arn in arns:
    resp = client.simulate_principal_policy(PolicySourceArn=test_arn, ActionNames=[action])

    eval_decision = resp["EvaluationResults"][0]["EvalDecision"]

    if eval_decision not in res:
      msg = "Unknown EvalDecision, {}, for arn: {} & action {}".format(eval_decision, test_arn, action)
      raise Exception(msg)

    res[eval_decision].append(test_arn)

  return res

if __name__ == '__main__':

  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('arns', metavar='A', nargs='*', help='ARNs to test')
  parser.add_argument("--action", help="Name of AWS action to test", default=BILLING_ACTION)

  args = parser.parse_args()

  if len(args.arns) > 0:
    arns = args.arns
  else:
    arns = get_all_arns()

  res = main(arns, args.action)

  import json
  print(json.dumps(res))