Skip to content

Instantly share code, notes, and snippets.

@dgulinobw
Last active November 14, 2019 14:30
Show Gist options
  • Save dgulinobw/11aadce49df60d6039a6dbf132de69c7 to your computer and use it in GitHub Desktop.
Save dgulinobw/11aadce49df60d6039a6dbf132de69c7 to your computer and use it in GitHub Desktop.
List all IAM policies in account. Pipe to grep to find who has access to what.
#!/usr/bin/env python
from __future__ import print_function
import boto3
from pygments import highlight, lexers, formatters
from botocore.exceptions import ClientError
iam = boto3.resource('iam')
s3 = boto3.client('s3')
def highlight_python(python_code):
return highlight(str(python_code), lexers.PythonLexer(),formatters.TerminalFormatter())
def hp(python_code):
return highlight_python(python_code)
for group in iam.groups.all():
for policy in group.attached_policies.all():
try:
print('group: {}, attached_policy: {} = {}'.format( group.name, policy.name, hp(policy.policy_document)) )
except AttributeError as e:
print('group: {}, {}'.format( group.name, e) )
for policy in group.policies.all():
print('group: {}, policy: {} = {}'.format( group.name, policy.name, hp(policy.policy_document)))
for user in iam.users.all():
for policy in user.attached_policies.all():
try:
print('user: {}, attached_policy: {} = {}'.format( user.name, policy.name, hp(policy.policy_document)) )
except AttributeError as e:
print('user: {}, {}'.format( user.name, e) )
for policy in user.policies.all():
print('user: {}, policy: {} = {}'.format( user.name, policy.name, hp(policy.policy_document)))
for role in iam.roles.all():
for policy in role.attached_policies.all():
try:
print('policy: {}, attached_policy: {} = {}'.format( role.name, policy.name, hp(policy.policy_document)) )
except AttributeError as e:
print('role: {}, {}'.format( role.name, e))
for policy in role.policies.all():
print('role: {}, policy: {} = {}'.format( role.name, policy.name, hp(policy.policy_document)))
for bucket_name in [bucket.get("Name") for bucket in s3.list_buckets().get("Buckets")]:
try:
policy = s3.get_bucket_policy(Bucket=bucket_name)
print('bucket: {} = {}'.format( bucket_name, hp(policy)) )
except(ClientError):
print('bucket: {} has no policy attached'.format( bucket_name) )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment