Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Script to check what AWS IAM users and roles have rights to perform an action
#!/usr/bin/env python
import sys
import boto3
def get_paginated_results(product, action, key, credentials=None, args=None):
args = {} if args is None else args
return [y for sublist in [x[key] for x in boto3.client(product, **({} if credentials is None else credentials)).get_paginator(action).paginate(**args)] for y in sublist]
def simulate_policy(source_arn, action, resource_arns=None):
args = {
'PolicySourceArn': source_arn,
'ActionNames': [action]
if resource_arns is not None:
args['ResourceArns'] = resource_arns
result = get_paginated_results('iam', 'simulate_principal_policy', 'EvaluationResults', None, args)
return result[0]['EvalDecision'] == 'allowed'
action = sys.argv[1] if len(sys.argv) > 1 else None
resource_arn = sys.argv[2] if len(sys.argv) > 2 else None
client = boto3.client('iam')
users = get_paginated_results('iam', 'list_users', 'Users')
print('Users allowed to {}'.format(action))
for user in users:
if simulate_policy(user['Arn'], action, resource_arn):
print("Users allowed to {} by assuming a role".format(action))
roles = get_paginated_results('iam', 'list_roles', 'Roles')
for user in users:
if simulate_policy(user['Arn'], 'sts:AssumeRole', [x['Arn'] for x in roles]):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.