Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to check what AWS IAM users and roles have rights to perform an action
#!/usr/bin/env python
import sys
import boto3
def get_paginated_results(product, action, key, credentials=None, args=None):
args = {} if args is None else args
return [y for sublist in [x[key] for x in boto3.client(product, **({} if credentials is None else credentials)).get_paginator(action).paginate(**args)] for y in sublist]
def simulate_policy(source_arn, action, resource_arns=None):
args = {
'PolicySourceArn': source_arn,
'ActionNames': [action]
}
if resource_arns is not None:
args['ResourceArns'] = resource_arns
result = get_paginated_results('iam', 'simulate_principal_policy', 'EvaluationResults', None, args)
return result[0]['EvalDecision'] == 'allowed'
action = sys.argv[1] if len(sys.argv) > 1 else None
resource_arn = sys.argv[2] if len(sys.argv) > 2 else None
client = boto3.client('iam')
users = get_paginated_results('iam', 'list_users', 'Users')
print('Users allowed to {}'.format(action))
for user in users:
if simulate_policy(user['Arn'], action, resource_arn):
print(user['UserName'])
print("Users allowed to {} by assuming a role".format(action))
roles = get_paginated_results('iam', 'list_roles', 'Roles')
for user in users:
if simulate_policy(user['Arn'], 'sts:AssumeRole', [x['Arn'] for x in roles]):
print(user['UserName'])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.