jpbarto/aws_iam_role_action_report.sh

## aws_iam_role_action_report.sh
#!/bin/bash

###
#
# The following script queries AWS CloudTrail for any events matching $USERNAME which occurred with the permissions
# associated with $ROLE_ARN.  All events that have occcurred as of $START_TIME (Unix timestamp in seconds) will
# be retrieved and the IAM actions of those events printed to STDOUT in a sorted and de-duplicated list.
#
# Sample Output:
#
#   ec2.amazonaws.com       DeleteVpcEndpoints
#   ec2.amazonaws.com       DescribeRouteTables
#   ec2.amazonaws.com       DescribeSecurityGroups
#   ec2.amazonaws.com       DescribeSubnets
#   ec2.amazonaws.com       DescribeVpcEndpoints
#   ec2.amazonaws.com       DescribeVpcs
#   ec2.amazonaws.com       DisassociateRouteTable
#   ec2.amazonaws.com       ModifyVpcAttribute
#   iam.amazonaws.com       AttachRolePolicy
#   iam.amazonaws.com       CreateRole
#   iam.amazonaws.com       DeleteRole
#   iam.amazonaws.com       DeleteRolePolicy
#   iam.amazonaws.com       DetachRolePolicy
#   iam.amazonaws.com       GetRole
#
# For more about `aws cloudtrail lookup-events` see: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/lookup-events.html
#
###

ROLE_ARN="arn:aws:iam::776347453069:role/ds-administration-ServiceCatalogLaunchRole"
START_TIME=1588669200

USERNAME="servicecatalog"
REGION="eu-west-2"

EVENT_RECS=$(aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=${USERNAME} --region ${REGION} --start-time ${START_TIME} --query Events[].CloudTrailEvent)
echo $EVENT_RECS | jq -r ".[] | fromjson | select (.userIdentity.sessionContext.sessionIssuer.arn == \"${ROLE_ARN}\") | [.eventSource,.eventName] | @tsv" | sort | uniq
	#!/bin/bash

	###
	#
	# The following script queries AWS CloudTrail for any events matching $USERNAME which occurred with the permissions
	# associated with $ROLE_ARN. All events that have occcurred as of $START_TIME (Unix timestamp in seconds) will
	# be retrieved and the IAM actions of those events printed to STDOUT in a sorted and de-duplicated list.
	#
	# Sample Output:
	#
	# ec2.amazonaws.com DeleteVpcEndpoints
	# ec2.amazonaws.com DescribeRouteTables
	# ec2.amazonaws.com DescribeSecurityGroups
	# ec2.amazonaws.com DescribeSubnets
	# ec2.amazonaws.com DescribeVpcEndpoints
	# ec2.amazonaws.com DescribeVpcs
	# ec2.amazonaws.com DisassociateRouteTable
	# ec2.amazonaws.com ModifyVpcAttribute
	# iam.amazonaws.com AttachRolePolicy
	# iam.amazonaws.com CreateRole
	# iam.amazonaws.com DeleteRole
	# iam.amazonaws.com DeleteRolePolicy
	# iam.amazonaws.com DetachRolePolicy
	# iam.amazonaws.com GetRole
	#
	# For more about `aws cloudtrail lookup-events` see: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/lookup-events.html
	#
	###

	ROLE_ARN="arn:aws:iam::776347453069:role/ds-administration-ServiceCatalogLaunchRole"
	START_TIME=1588669200

	USERNAME="servicecatalog"
	REGION="eu-west-2"

	EVENT_RECS=$(aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=${USERNAME} --region ${REGION} --start-time ${START_TIME} --query Events[].CloudTrailEvent)
	echo $EVENT_RECS \| jq -r ".[] \| fromjson \| select (.userIdentity.sessionContext.sessionIssuer.arn == \"${ROLE_ARN}\") \| [.eventSource,.eventName] \| @tsv" \| sort \| uniq