Last active
June 9, 2021 19:38
-
-
Save gene1wood/937ec793018884f580f81dc823423195 to your computer and use it in GitHub Desktop.
Script to check what AWS IAM users and roles have rights to perform an action
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| import boto3 | |
| def get_paginated_results(product, action, key, credentials=None, args=None): | |
| args = {} if args is None else args | |
| return [y for sublist in [x[key] for x in boto3.client(product, **({} if credentials is None else credentials)).get_paginator(action).paginate(**args)] for y in sublist] | |
| def simulate_policy(source_arn, action, resource_arns=None): | |
| args = { | |
| 'PolicySourceArn': source_arn, | |
| 'ActionNames': [action] | |
| } | |
| if resource_arns is not None: | |
| args['ResourceArns'] = resource_arns | |
| result = get_paginated_results('iam', 'simulate_principal_policy', 'EvaluationResults', None, args) | |
| return result[0]['EvalDecision'] == 'allowed' | |
| action = sys.argv[1] if len(sys.argv) > 1 else None | |
| resource_arn = sys.argv[2] if len(sys.argv) > 2 else None | |
| client = boto3.client('iam') | |
| users = get_paginated_results('iam', 'list_users', 'Users') | |
| print('Users allowed to {}'.format(action)) | |
| for user in users: | |
| if simulate_policy(user['Arn'], action, resource_arn): | |
| print(user['UserName']) | |
| print("Users allowed to {} by assuming a role".format(action)) | |
| roles = get_paginated_results('iam', 'list_roles', 'Roles') | |
| for user in users: | |
| if simulate_policy(user['Arn'], 'sts:AssumeRole', [x['Arn'] for x in roles]): | |
| print(user['UserName']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment