Finds an AWS IAM user that corresponds to the access key passed by the command line parameter.

find_iam_user.py

# Find the IAM username belonging to the command line parameter
# Useful for finding IAM user corresponding to a compromised AWS credential

# Requirements:
#
# Environmental variables:
#               AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# python:
#               boto

import boto.iam
import sys

iam = boto.connect_iam()

users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']

def find_key(key_name):
        for user in users:
                for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
                        aws_access_key = key_result['access_key_id']
                        if aws_access_key == key_name:
                                print 'Target key belongs to user: %s' % user['user_name']
                                return True
        return False

def main():
        keyname = sys.argv[1]
        if not find_key(keyname):
                print 'Did not find access key (%s) in %s IAM users.' % (keyname, len(users))

if __name__ == '__main__':
        main()