Skip to content

Instantly share code, notes, and snippets.

@rkreddyp

rkreddyp/service_iam_runbook.ipynb

Created February 17, 2019 03:05
Show Gist options
  • Save rkreddyp/c0c5194d9f320ba8f11f04190b2127f0 to your computer and use it in GitHub Desktop.
Save rkreddyp/c0c5194d9f320ba8f11f04190b2127f0 to your computer and use it in GitHub Desktop.
Download ZIP
Display the source blob
Display the rendered blob
Raw
service_iam_runbook.ipynb
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<script>\n",
"code_show=true; \n",
"function code_toggle() {\n",
" if (code_show){\n",
" $('div.input').hide();\n",
" } else {\n",
" $('div.input').show();\n",
" }\n",
" code_show = !code_show\n",
"} \n",
"$( document ).ready(code_toggle);\n",
"</script>\n",
"The raw code for this IPython notebook is by default hidden for easier reading.\n",
"To change input paramters to the code, toggle on/off the raw code, click <a href=\"javascript:code_toggle()\">here</a>."
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"execution_count": 1,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"from IPython.display import HTML\n",
"\n",
"HTML('''<script>\n",
"code_show=true; \n",
"function code_toggle() {\n",
" if (code_show){\n",
" $('div.input').hide();\n",
" } else {\n",
" $('div.input').show();\n",
" }\n",
" code_show = !code_show\n",
"} \n",
"$( document ).ready(code_toggle);\n",
"</script>\n",
"The raw code for this IPython notebook is by default hidden for easier reading.\n",
"To change input paramters to the code, toggle on/off the raw code, click <a href=\"javascript:code_toggle()\">here</a>.''')"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-top'></a>\n",
"\n",
"# IAM Notebook\n",
"\n",
"This Notebook goes helps security practioner to keep track of and right size IAM roles, stale users\n",
"\n",
" * List of IAM roles by date created\n",
" * List of IAM users by date created\n",
" * Access Advisor\n",
" * Roles that did not access services and policies that gave access to corresponding services\n",
" \n",
" * Best Practice Checks\n",
" * Access keys are not enabled for Root\n",
" * MFA is enabled for all users who have passwords\n",
"\n",
"## The following services are supported on this runbook\n",
"\n",
" * IAM - Summary of Roles, Users and Groups\n",
" * [IAM Role Summary](#iam-role-summary)\n",
" * [IAM User Summary](#iam-user-summary)\n",
" * [IAM Group Summary](#iam-group-summary)\n",
" * [IAM Access Advisor](#iam-access-advisor)\n",
" * [Role and Service Access Analysis](#iam-access-analysis)\n",
" * [Policy Analysis](#iam-policy-analysis)\n",
" * [IAM Best Practice Checks](#iam-best-practice)\n",
" * Users for which MFA is not active AND password is enabled\n",
" * Users where password is not changed in the last 90 days\n",
" * MFA enabled for Root Account\n",
" "
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Python Imports"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"import sys\n",
"sys.path.append('/usr/local/lib/python3.6/site-packages')\n",
"sys.path.append('/home/ec2-user/anaconda3/envs/JupyterSystemEnv/bin:/home/ec2-user/anaconda3/bin/')\n",
"sys.path.extend (['/usr/local/bin','/bin:/usr/bin','/usr/local/sbin','/usr/sbin','/sbin','/opt/aws/bin'])\n",
"\n",
"\n",
"import boto3\n",
"import datetime\n",
"import pandas as pd\n",
"import logging\n",
"import json\n",
"import time\n",
"from cloudgovernor.helpers import spend_helpers\n",
"from cloudgovernor.helpers import lib_helpers\n",
"from cloudgovernor.helpers import aws_helpers\n",
"from cloudgovernor.cfexplore import cf_monitor\n",
"from cloudgovernor.iam import iam_analyze\n",
"from importlib import reload\n",
"from IPython.display import display, HTML\n",
"from IPython.display import Markdown as md\n",
"import sys\n",
"from IPython.display import display\n",
"import IPython.core.display as di\n",
"\n",
"\n",
"logger = logging.getLogger(__name__)\n",
"logging.getLogger().setLevel(logging.INFO)\n",
"logging.getLogger('boto3').setLevel(logging.CRITICAL)\n",
"logging.getLogger('botocore').setLevel(logging.CRITICAL)\n",
"pd.set_option('display.max_colwidth', -1)\n",
"\n",
"\n",
"\n"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"#!{sys.executable} -m pip install boto3\n",
"#!conda install --yes --prefix {sys.prefix} boto3\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-role-summary'></a>\n",
"\n",
"# IAM Roles"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ## IAM Roles Summary\n",
" * No .of Roles: 20\n",
" * Latest Created Role : arn:aws:iam::833730960164:role/cgrole(2019-01-28 17:46:54+00:00)\n",
" * Oldest Role : arn:aws:iam::833730960164:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport, (2018-10-06 12:21:02+00:00)\n",
" "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/markdown": [
" ## List of Roles "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>AssumeRolePolicyDocument</th>\n",
" <th>CreateDate</th>\n",
" <th>Description</th>\n",
" <th>MaxSessionDuration</th>\n",
" <th>Path</th>\n",
" <th>RoleId</th>\n",
" <th>RoleName</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/adminrole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'lambda.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-11-20 16:56:06+00:00</td>\n",
" <td>Allows Lambda functions to call AWS services on your behalf.</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJNKBYXQ76K5NFKP2C</td>\n",
" <td>adminrole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'sagemaker.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-11-27 20:23:25+00:00</td>\n",
" <td>SageMaker execution role created from the SageMaker AWS Management Console.</td>\n",
" <td>3600</td>\n",
" <td>/service-role/</td>\n",
" <td>AROAJYU2NHLWMECYSRTOS</td>\n",
" <td>AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'guardduty.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2019-01-14 19:37:44+00:00</td>\n",
" <td>A service-linked role required for Amazon GuardDuty to access your resources.</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/guardduty.amazonaws.com/</td>\n",
" <td>AROAJFNQBCYNIFX2T27KE</td>\n",
" <td>AWSServiceRoleForAmazonGuardDuty</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'inspector.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-12-12 20:03:25+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/inspector.amazonaws.com/</td>\n",
" <td>AROAJYGJZVFEJQ6QA3L5S</td>\n",
" <td>AWSServiceRoleForAmazonInspector</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'ecs.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-07 14:42:57+00:00</td>\n",
" <td>Role to enable Amazon ECS to manage your cluster.</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/ecs.amazonaws.com/</td>\n",
" <td>AROAISR6MINDSONFR2GJU</td>\n",
" <td>AWSServiceRoleForECS</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'organizations.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2019-01-03 09:35:29+00:00</td>\n",
" <td>Service-linked role used by AWS Organizations to enable integration of other AWS services with Organizations.</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/organizations.amazonaws.com/</td>\n",
" <td>AROAIZGXBLKCNICBVGKME</td>\n",
" <td>AWSServiceRoleForOrganizations</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'securityhub.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-11-28 17:47:24+00:00</td>\n",
" <td>A service-linked role required for AWS Security Hub to access your resources.</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/securityhub.amazonaws.com/</td>\n",
" <td>AROAIH53PBZAYRROTJBIK</td>\n",
" <td>AWSServiceRoleForSecurityHub</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'support.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 12:21:02+00:00</td>\n",
" <td>Enables resource access for AWS to provide billing, administrative and support services</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/support.amazonaws.com/</td>\n",
" <td>AROAJUR4B6NP44X44SF7O</td>\n",
" <td>AWSServiceRoleForSupport</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'trustedadvisor.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 12:21:02+00:00</td>\n",
" <td>Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.</td>\n",
" <td>3600</td>\n",
" <td>/aws-service-role/trustedadvisor.amazonaws.com/</td>\n",
" <td>AROAJFYYGOLCRWAXYIYOM</td>\n",
" <td>AWSServiceRoleForTrustedAdvisor</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/AWS_InspectorEvents_Invoke_Assessment_Template</td>\n",
" <td>{'Version': '2008-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'events.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-12-12 20:03:26+00:00</td>\n",
" <td>Role for scheduled Inspector assessment from Cloudwatch Events</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAIRBJPB53AY6GDVDAC</td>\n",
" <td>AWS_InspectorEvents_Invoke_Assessment_Template</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/cgnotebookrole</td>\n",
" <td>{'Version': '2008-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::833730960164:user/elasticcrew', 'Service': ['config.amazonaws.com', 'lambda.amazonaws.com', 'apigateway.amazonaws.com', 'sagemaker.amazonaws.com', 'events.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2019-01-14 20:51:17+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJ3HR6HM2HJZDYCZOW</td>\n",
" <td>cgnotebookrole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/cgrole</td>\n",
" <td>{'Version': '2008-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::833730960164:user/elasticcrew', 'Service': ['config.amazonaws.com', 'lambda.amazonaws.com', 'apigateway.amazonaws.com', 'sagemaker.amazonaws.com', 'events.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2019-01-28 17:46:54+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAIF7D7TNEND44NIBBE</td>\n",
" <td>cgrole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/ecsTaskExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': 'ecs-tasks.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-07 18:35:57+00:00</td>\n",
" <td>Allows ECS tasks to call AWS services on your behalf.</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAISQJKU3EQWVMYE2YO</td>\n",
" <td>ecsTaskExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/slackapp-virclop-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 19:38:18+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAIF4OMP5OAQ3EKUBEK</td>\n",
" <td>slackapp-virclop-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/slackapp-virclopslackapp-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 19:34:43+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAIF6ESWFBA5SEYAYBS</td>\n",
" <td>slackapp-virclopslackapp-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-admininstall-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-23 22:59:01+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJVYB36LMZOCB2RK2A</td>\n",
" <td>virclop-admininstall-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-cftresponder-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 20:44:37+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJKKGZULNAJ7T25GEI</td>\n",
" <td>virclop-cftresponder-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-sendgrid-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-16 18:28:58+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJOFYL6A6QFBIQP7VW</td>\n",
" <td>virclop-sendgrid-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-slackappinstall-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-06 19:42:09+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAJJZTVP3VWO6QDRV44</td>\n",
" <td>virclop-slackappinstall-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-slashcommand-ZappaLambdaExecutionRole</td>\n",
" <td>{'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': ['apigateway.amazonaws.com', 'events.amazonaws.com', 'lambda.amazonaws.com']}, 'Action': 'sts:AssumeRole'}]}</td>\n",
" <td>2018-10-17 12:25:34+00:00</td>\n",
" <td>NaN</td>\n",
" <td>3600</td>\n",
" <td>/</td>\n",
" <td>AROAIEBHWPDQWSH2BVH36</td>\n",
" <td>virclop-slashcommand-ZappaLambdaExecutionRole</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iam_client=boto3.client('iam')\n",
"items = []\n",
"response = iam_client.list_roles()\n",
"while response:\n",
" items += response['Roles']\n",
" response = iam_client.list_roles(Marker=response['Marker']) if 'Marker' in response else None \n",
"role_df = pd.DataFrame (items)\n",
"\n",
"display (md(\"\"\" ## IAM Roles Summary\n",
" * No .of Roles: {noroles}\n",
" * Latest Created Role : {latestrole}({latestcreateddate})\n",
" * Oldest Role : {oldestrole}, ({oldestcreateddate})\n",
" \"\"\".format(noroles=len(role_df),latestrole=role_df[role_df.CreateDate == role_df.CreateDate.max()].Arn.tolist()[0], oldestrole =role_df[role_df.CreateDate == role_df.CreateDate.min()].Arn.tolist()[0], oldestcreateddate=role_df.CreateDate.min(), latestcreateddate=role_df.CreateDate.max() )\n",
" ))\n",
"\n",
"display (md(\"\"\" ## List of Roles \"\"\"))\n",
"display(HTML(role_df.to_html(index=False, justify=\"left\")))\n",
"\n",
"\n",
"\n",
"\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-user-sumary'></a>\n",
"# IAM Users"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ## IAM Users Summary\n",
" * No .of Users: 2\n",
" * Latest Created User : arn:aws:iam::833730960164:user/virclopad(2018-10-06 19:32:12+00:00)\n",
" * Oldest User : arn:aws:iam::833730960164:user/elasticcrew, (2018-10-06 18:57:13+00:00)\n",
" "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/markdown": [
" ## List of Users "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>CreateDate</th>\n",
" <th>Path</th>\n",
" <th>UserId</th>\n",
" <th>UserName</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>2018-10-06 18:57:13+00:00</td>\n",
" <td>/</td>\n",
" <td>AIDAJEOBJDN3QZW2MSBGA</td>\n",
" <td>elasticcrew</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/virclopad</td>\n",
" <td>2018-10-06 19:32:12+00:00</td>\n",
" <td>/</td>\n",
" <td>AIDAISZQ73TTRN5WNYHY6</td>\n",
" <td>virclopad</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iam_client=boto3.client('iam')\n",
"\n",
"items = []\n",
"response = iam_client.list_users()\n",
"while response:\n",
" items += response['Users']\n",
" response = iam_client.list_roles(Marker=response['Marker']) if 'Marker' in response else None \n",
"user_df = pd.DataFrame (items)\n",
"\n",
"display (md(\"\"\" ## IAM Users Summary\n",
" * No .of Users: {nousers}\n",
" * Latest Created User : {latestuser}({latestcreateddate})\n",
" * Oldest User : {oldestuser}, ({oldestcreateddate})\n",
" \"\"\".format(nousers=len(user_df),latestuser=user_df[user_df.CreateDate == user_df.CreateDate.max()].Arn.tolist()[0], oldestuser = user_df[user_df.CreateDate == user_df.CreateDate.min()].Arn.tolist()[0], oldestcreateddate=user_df.CreateDate.min(), latestcreateddate=user_df.CreateDate.max() )\n",
" ))\n",
"\n",
"display (md(\"\"\" ## List of Users \"\"\"))\n",
"display(HTML(user_df.to_html(index=False, justify=\"left\")))\n",
"\n",
"\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# IAM Groups"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ## IAM Groups Summary\n",
" * No .of Users: 1\n",
" * Latest Created Group : arn:aws:iam::833730960164:group/admins(2019-02-14 13:16:49+00:00)\n",
" * Oldest Group : arn:aws:iam::833730960164:group/admins, (2019-02-14 13:16:49+00:00)\n",
" "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/markdown": [
" ## List of Groups "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>CreateDate</th>\n",
" <th>GroupId</th>\n",
" <th>GroupName</th>\n",
" <th>Path</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:group/admins</td>\n",
" <td>2019-02-14 13:16:49+00:00</td>\n",
" <td>AGPAILB3HNFIT5LSIPHZE</td>\n",
" <td>admins</td>\n",
" <td>/</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iam_client=boto3.client('iam')\n",
"\n",
"items = []\n",
"response = iam_client.list_groups()\n",
"while response:\n",
" items += response['Groups']\n",
" response = iam_client.list_roles(Marker=response['Marker']) if 'Marker' in response else None \n",
"group_df = pd.DataFrame (items)\n",
"\n",
"display (md(\"\"\" ## IAM Groups Summary\n",
" * No .of Users: {nogroups}\n",
" * Latest Created Group : {latestgroup}({latestcreateddate})\n",
" * Oldest Group : {oldestgroup}, ({oldestcreateddate})\n",
" \"\"\".format(nogroups=len(group_df),latestgroup=group_df[group_df.CreateDate == group_df.CreateDate.max()].Arn.tolist()[0], oldestgroup = group_df[group_df.CreateDate == group_df.CreateDate.min()].Arn.tolist()[0], oldestcreateddate=group_df.CreateDate.min(), latestcreateddate=group_df.CreateDate.max() )\n",
" ))\n",
"\n",
"display (md(\"\"\" ## List of Groups \"\"\"))\n",
"display(HTML(group_df.to_html(index=False, justify=\"left\")))\n",
"\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-access-advisor'></a>\n",
"# IAM Access Advisor\n",
"This section gives advice on \n",
" * In active users and roles\n",
" [Go to Top](#iam-top)"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [],
"source": [
"\n",
"import boto3\n",
"\n",
"iam_client=boto3.client('iam')\n",
"\n",
"## Get the jobs from generate_service_last_accessed_details\n",
"arn_list = pd.DataFrame (iam_client.list_roles()['Roles'])['Arn'].tolist()\n",
"job_arr = []\n",
"df_arr = []\n",
"for arn in arn_list :\n",
" job_id = iam_client.generate_service_last_accessed_details(Arn=arn)['JobId']\n",
" job_task = {}\n",
" job_task['arn'] = arn\n",
" job_task['id'] = job_id\n",
" job_arr.append(job_task)\n",
"\n",
"job_df = pd.DataFrame(job_arr)\n",
"job_arr = job_df.id.tolist()\n",
"\n",
"## Get accesss details from get_service_last_accessed_details\n",
"job_flag=True\n",
"while job_flag :\n",
" for job in job_arr:\n",
" #time.sleep(1)\n",
" idf = pd.DataFrame (iam_client.get_service_last_accessed_details(JobId=job)['ServicesLastAccessed'])\n",
" idf ['job_status'] = iam_client.get_service_last_accessed_details(JobId=job)['JobStatus']\n",
" job_arn = job_df[job_df.id==job]['arn'].tolist()[0]\n",
" idf['arn'] = job_arn\n",
" #print (idf.dtypes)\n",
" if 'LastAuthenticated' in idf.columns:\n",
" idf.LastAuthenticated = idf.LastAuthenticated.astype(str)\n",
" if not idf.empty :\n",
" df_arr.append(idf)\n",
" if idf[idf.job_status!=\"COMPLETED\"]['arn'].count() == 0:\n",
" job_flag=False\n",
" \n",
"iid_df = pd.concat(df_arr)\n",
"all_service_names = iid_df['ServiceNamespace'].unique().tolist()\n",
"all_roles = iid_df['arn'].unique().tolist()\n",
"\n",
"\n",
"\n",
"#iid_df = iid_df[['arn', 'ServiceName', 'ServiceNamespace', 'LastAuthenticated', 'TotalAuthenticatedEntities', 'job_status' ]]\n",
"\n",
"iid_df.LastAuthenticated = iid_df.LastAuthenticated.astype(str)\n",
"iid_df = iid_df[iid_df.LastAuthenticated != \"NaN\"]\n",
"iid_df = iid_df[iid_df.LastAuthenticated != \"nan\"]\n",
"iid_df = iid_df[iid_df.LastAuthenticated != \"NaT\"]\n",
"\n",
"oiid_df = iid_df.copy()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## List of Roles and Services Accessed \n",
"For each role, what services did they access ? Security analysis can view this activity to see whether any role is accessing services and making calls that it should not."
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>arn</th>\n",
" <th>services</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/AWS_InspectorEvents_Invoke_Assessment_Template</td>\n",
" <td>inspector</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS</td>\n",
" <td>ec2</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>ec2</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub</td>\n",
" <td>cloudtrail,cloudwatch,config</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport</td>\n",
" <td>ec2,rds,redshift</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor</td>\n",
" <td>autoscaling,cloudformation,cloudfront,cloudtrail,dynamodb,ec2,elasticloadbalancing,iam,kinesis,rds,redshift,route53,s3,ses</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/cgrole</td>\n",
" <td>acm,apigateway,autoscaling,ce,cloudformation,cloudtrail,cloudwatch,codepipeline,config,dynamodb,ec2,elasticloadbalancing,events,guardduty,iam,inspector,kms,lambda,logs,rds,redshift,s3,sagemaker,securityhub,ssm,sts</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/ecsTaskExecutionRole</td>\n",
" <td>ecr,logs</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>ce,cloudwatch,config,ec2,ec2messages,elasticloadbalancing,guardduty,iam,kms,logs,s3,sagemaker,sns,ssm,sts</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/slackapp-virclop-ZappaLambdaExecutionRole</td>\n",
" <td>lambda,logs</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/slackapp-virclopslackapp-ZappaLambdaExecutionRole</td>\n",
" <td>lambda,logs</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-admininstall-ZappaLambdaExecutionRole</td>\n",
" <td>lambda,logs,s3</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-cftresponder-ZappaLambdaExecutionRole</td>\n",
" <td>ecs,lambda,logs</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-sendgrid-ZappaLambdaExecutionRole</td>\n",
" <td>lambda,logs</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-slackappinstall-ZappaLambdaExecutionRole</td>\n",
" <td>dynamodb,lambda,logs,s3</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/virclop-slashcommand-ZappaLambdaExecutionRole</td>\n",
" <td>lambda,logs</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iid_df_group = iid_df.groupby( [\"arn\"])['ServiceNamespace'].agg(','.join).reset_index(name='services')\n",
"\n",
"#display (md(\"\"\" ## List of Roles and Services Accessed \"\"\"))\n",
"display(HTML(iid_df_group.to_html(index=False, justify=\"left\")))\n",
"\n",
"\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Inactive Users and Roles\n",
"The following cell checks for users and roles who have not accessed serivces in the last 120 days (you can change the that number by changing the `num_days` variable below.\n"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### The following are the in-active users who have not accessed any services in the last 120 days "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'arn:aws:iam::833730960164:role/slackapp-virclopslackapp-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/slackapp-virclop-ZappaLambdaExecutionRole'}\n"
]
}
],
"source": [
"\n",
"iid_df.LastAuthenticated = pd.to_datetime(iid_df.LastAuthenticated)\n",
"num_days = \"120\"\n",
"# get the dataframe of services who have not accessed in the last 120 days\n",
"iid_df_nla = iid_df[pd.to_datetime(iid_df.LastAuthenticated) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\")]\n",
"\n",
"# get the dataframe of users who have not actually accessed stuff in the last 120 days\n",
"iid_df_la = iid_df[pd.to_datetime(iid_df.LastAuthenticated) > datetime.datetime.now() - pd.to_timedelta(num_days+\"day\")]\n",
"\n",
"display (md(\"\"\" ##### The following are the in-active users who have not accessed any services in the last 120 days \"\"\"))\n",
"\n",
"print (set (iid_df_nla.LastAuthenticatedEntity.unique().tolist()) - set (iid_df_la.LastAuthenticatedEntity.unique().tolist() ) )\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-access-analysis'></a>\n",
"## Role and Policy Analysis\n",
"\n",
"For given roles, this section gives the services that the role **has access to, but DID NOT ACCESS**. Also listed is the policy that enables that access. Users are adviced to look at the policies and adjust them accordingly, since those policies are wider than what the role is accessing.\n",
"\n",
"The following cell will produce the following information\n",
" * arn : Role \n",
" * policy-type: Which policy that is attached to the role is giving access \n",
" * ServiceNamespace: service that the policy is giving access to\n",
" * has_accessed : Whether the role has accessed the policy\n",
" * last_accessed : If accessed, what is the last access date\n",
" \n",
" [Go to Top](#iam-top)"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Pick any role from below for policy level analysis : ['arn:aws:iam::833730960164:role/adminrole', 'arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303', 'arn:aws:iam::833730960164:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty', 'arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector', 'arn:aws:iam::833730960164:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS', 'arn:aws:iam::833730960164:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations', 'arn:aws:iam::833730960164:role/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub', 'arn:aws:iam::833730960164:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport', 'arn:aws:iam::833730960164:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor', 'arn:aws:iam::833730960164:role/AWS_InspectorEvents_Invoke_Assessment_Template', 'arn:aws:iam::833730960164:role/cgnotebookrole', 'arn:aws:iam::833730960164:role/cgrole', 'arn:aws:iam::833730960164:role/ecsTaskExecutionRole', 'arn:aws:iam::833730960164:role/slackapp-virclop-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/slackapp-virclopslackapp-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/virclop-admininstall-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/virclop-cftresponder-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/virclop-sendgrid-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/virclop-slackappinstall-ZappaLambdaExecutionRole', 'arn:aws:iam::833730960164:role/virclop-slashcommand-ZappaLambdaExecutionRole']\n"
]
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Policies</th>\n",
" <th>ServiceNamespace</th>\n",
" <th>arn</th>\n",
" <th>has_accessed</th>\n",
" <th>last_accessed</th>\n",
" <th>policy-type</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>a4b</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>acm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>acm-pca</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>amplify</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>apigateway</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>application-autoscaling</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>appstream</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>appsync</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>artifact</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>athena</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>autoscaling</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>autoscaling-plans</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>aws-marketplace</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>aws-marketplace-management</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>aws-portal</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>backup</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>batch</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>budgets</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ce</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-04 20:35:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>chime</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloud9</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>clouddirectory</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloudformation</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloudfront</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloudhsm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloudsearch</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cloudtrail</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>cloudwatch</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-16 03:37:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>codebuild</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>codecommit</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>codedeploy</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>codepipeline</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>codestar</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cognito-identity</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cognito-idp</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cognito-sync</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>comprehend</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>comprehendmedical</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>config</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-04 20:35:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>connect</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>cur</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>datapipeline</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>datasync</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>dax</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>deeplens</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>devicefarm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>directconnect</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>discovery</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>dlm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>dms</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ds</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>dynamodb</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ec2</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-18 07:35:00+00:00</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ec2messages</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2019-01-09 14:52:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>ecr</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ecs</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>eks</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>elastic-inference</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elasticache</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elasticbeanstalk</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elasticfilesystem</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elasticloadbalancing</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-04 15:06:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elasticmapreduce</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>elastictranscoder</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>es</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>events</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>execute-api</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>firehose</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>fms</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>freertos</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>fsx</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>gamelift</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>glacier</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>globalaccelerator</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>glue</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>greengrass</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>groundtruthlabeling</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>guardduty</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-04 15:06:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>health</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}]</td>\n",
" <td>iam</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-11-29 15:23:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>importexport</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>inspector</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>iot</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>iot1click</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>iotanalytics</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>iotevents</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>kafka</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>kinesis</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>kinesisanalytics</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>kinesisvideo</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>kms</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-16 03:37:00+00:00</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>lambda</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>lex</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>license-manager</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>lightsail</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>logs</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-16 03:38:00+00:00</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>machinelearning</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>macie</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mechanicalturk</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mediaconnect</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mediaconvert</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>medialive</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mediapackage</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mediastore</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mgh</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mobileanalytics</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mobilehub</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mobiletargeting</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>mq</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>neptune-db</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>opsworks</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>opsworks-cm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>organizations</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>pi</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>polly</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>pricing</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>quicksight</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ram</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>rds</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>redshift</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>rekognition</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>resource-groups</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>robomaker</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>route53</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>route53domains</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>route53resolver</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AmazonSageMaker-ExecutionPolicy-20181127T152303', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::833730960164:policy/service-role/AmazonSageMaker-ExecutionPolicy-20181127T152303'}]</td>\n",
" <td>s3</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-18 07:35:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sagemaker</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-16 03:37:00+00:00</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sdb</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonSageMakerFullAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>secretsmanager</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>securityhub</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>serverlessrepo</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>servicecatalog</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>servicediscovery</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ses</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>shield</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>signer</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sms</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sms-voice</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>snowball</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sns</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-04 15:06:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sqs</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ssm</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2019-01-09 14:54:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>ssmmessages</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sso</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sso-directory</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>states</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>storagegateway</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sts</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>True</td>\n",
" <td>2018-12-18 07:35:00+00:00</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>sumerian</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>support</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>swf</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>tag</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>textract</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>transcribe</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>transfer</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>translate</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>trustedadvisor</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>waf</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>waf-regional</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>wam</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>wellarchitected</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>workdocs</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>worklink</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>workmail</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>workspaces</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>xray</td>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonInspectorServiceRolePolicy', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/aws-service-role/AmazonInspectorServiceRolePolicy'}]</td>\n",
" <td>directconnect</td>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonInspectorServiceRolePolicy(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonInspectorServiceRolePolicy', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/aws-service-role/AmazonInspectorServiceRolePolicy'}]</td>\n",
" <td>ec2</td>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>True</td>\n",
" <td>2018-12-12 20:11:00+00:00</td>\n",
" <td>AmazonInspectorServiceRolePolicy(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>[{'PolicyName': 'AmazonInspectorServiceRolePolicy', 'PolicyType': 'MANAGED', 'PolicyArn': 'arn:aws:iam::aws:policy/aws-service-role/AmazonInspectorServiceRolePolicy'}]</td>\n",
" <td>elasticloadbalancing</td>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>False</td>\n",
" <td>NA</td>\n",
" <td>AmazonInspectorServiceRolePolicy(MANAGED Policy)</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"#all_service_names = iid_df['ServiceNamespace'].unique().tolist()\n",
"#all_roles = iid_df['arn'].unique().tolist()\n",
"\n",
"\n",
"iid_df = oiid_df.copy()\n",
"#services_list = iid_df_group.services.tolist()[0]\n",
"#services_list = services_list.split(\",\") # all possible services\n",
"sdf_arr = []\n",
"print (\"Pick any role from below for policy level analysis :\", all_roles)\n",
"for arn in all_roles [1:4] : # will only loop through the first 4 roles for AWS throttles the calls, you put specific roles from above.\n",
" #service_names = iid_df_group[iid_df_group.arn == arn]['services'].tolist()\n",
" #if len (service_names) > 0 :\n",
" #service_names = service_names [0]\n",
" #service_names = service_names.split(\",\")\n",
" \n",
" for service in all_service_names :\n",
" pdf = pd.DataFrame ( iam_client.list_policies_granting_service_access(Arn=arn, ServiceNamespaces=[service])['PoliciesGrantingServiceAccess'])\n",
" sdf = pdf[pdf.ServiceNamespace==service]\n",
" time.sleep(1)\n",
" sdf['arn'] = arn\n",
" if len (sdf.Policies.tolist()) > 0 and len (iid_df_group[iid_df_group.arn==arn]['services'].tolist()) > 0 :\n",
" s_access_list = iid_df_group[iid_df_group.arn==arn]['services'].tolist()[0] #what services did this serice access\n",
" if service in s_access_list : \n",
" \n",
" sdf['has_accessed'] = True\n",
" if len (iid_df [ (iid_df.arn == arn) & (iid_df.ServiceNamespace == service)]['LastAuthenticated'].tolist()) > 0 :\n",
" sdf['last_accessed'] = iid_df [ (iid_df.arn == arn) & (iid_df.ServiceNamespace == service)]['LastAuthenticated'].tolist()[0]\n",
" else : \n",
" sdf['last_accessed'] = \"NA\"\n",
" sdf['has_accessed'] = True\n",
" \n",
" else :\n",
" sdf['has_accessed'] = False\n",
" sdf['last_accessed'] = \"NA\"\n",
" spdf = (pd.DataFrame(sdf.Policies.tolist()[0]))\n",
"\n",
" if not spdf.empty :\n",
" sdf['policy-type'] = spdf['PolicyName'].map(str) + '(' + spdf['PolicyType'].map(str) + ' Policy)'\n",
" sdf_arr.append(sdf)\n",
"sdf_arr_df = pd.concat (sdf_arr)\n",
"sdf_arr_df = sdf_arr_df[[\"arn\", \"policy-type\",'ServiceNamespace','has_accessed', 'last_accessed','Policies' ]]\n",
"if len(sdf_arr) > 0 :\n",
" sdf_arr_df = pd.concat (sdf_arr)\n",
" \n",
" display(HTML(sdf_arr_df.to_html(index=False, justify=\"left\")))\n",
" \n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-policy-analysis'></a>\n",
"### Policies that Need to Right Sized for a Given Role\n",
"This section lays out all the services that the arn *Can access but did not access* and the policy that the user needs to review to right size\n",
"\n",
" [Go to Top](#iam-top)"
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ## Services that roles did not access and Corresponding Policies "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>arn</th>\n",
" <th>services_not_accessed</th>\n",
" <th>policy-type</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector</td>\n",
" <td>directconnect,elasticloadbalancing</td>\n",
" <td>AmazonInspectorServiceRolePolicy(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>a4b,acm,acm-pca,amplify,apigateway,appstream,appsync,artifact,athena,autoscaling,autoscaling-plans,aws-marketplace-management,aws-portal,backup,batch,budgets,chime,cloud9,clouddirectory,cloudformation,cloudfront,cloudhsm,cloudsearch,cloudtrail,codebuild,codedeploy,codepipeline,codestar,cognito-identity,cognito-sync,comprehend,comprehendmedical,connect,cur,datapipeline,datasync,dax,deeplens,devicefarm,directconnect,discovery,dlm,dms,ds,dynamodb,ecr,ecs,eks,elastic-inference,elasticache,elasticbeanstalk,elasticfilesystem,elasticmapreduce,elastictranscoder,events,execute-api,firehose,fms,freertos,fsx,gamelift,glacier,globalaccelerator,glue,greengrass,groundtruthlabeling,health,importexport,inspector,iot,iot1click,iotanalytics,iotevents,kafka,kinesis,kinesisanalytics,kinesisvideo,lex,license-manager,lightsail,machinelearning,macie,mechanicalturk,mediaconnect,mediaconvert,medialive,mediapackage,mediastore,mgh,mobileanalytics,mobilehub,mobiletargeting,mq,neptune-db,opsworks,opsworks-cm,organizations,pi,polly,pricing,quicksight,ram,rds,redshift,rekognition,resource-groups,route53,route53domains,route53resolver,sdb,securityhub,serverlessrepo,servicecatalog,servicediscovery,ses,shield,signer,sms,sms-voice,snowball,sqs,ssmmessages,sso,sso-directory,states,storagegateway,sumerian,support,swf,tag,textract,transcribe,transfer,translate,trustedadvisor,waf,waf-regional,wam,wellarchitected,workdocs,worklink,workmail,workspaces,xray</td>\n",
" <td>AdministratorAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:role/service-role/AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>application-autoscaling,aws-marketplace,codecommit,cognito-idp,lambda,robomaker,secretsmanager</td>\n",
" <td>AmazonSageMakerFullAccess(MANAGED Policy)</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"sdf_arr_df=sdf_arr_df[sdf_arr_df.has_accessed == False]\n",
"sdf_arr_df_group = sdf_arr_df.groupby( [\"arn\",\"policy-type\"] )['ServiceNamespace'].agg(','.join).reset_index(name='services_not_accessed')\n",
"\n",
"sdf_arr_df_group = sdf_arr_df_group [[\"arn\",\"services_not_accessed\",\"policy-type\"]]\n",
"\n",
"display (md(\"\"\" ## Services that roles did not access and Corresponding Policies \"\"\"))\n",
"display(HTML(sdf_arr_df_group.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"<a id='iam-best-practice'></a>\n",
"## Best Practice Checks"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [],
"source": [
"iamdf = pd.DataFrame(aws_helpers.get_credential_report())\n",
"oiamdf = iamdf.copy()"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>password_enabled</th>\n",
" <th>password_last_used</th>\n",
" <th>password_last_changed</th>\n",
" <th>password_next_rotation</th>\n",
" <th>mfa_active</th>\n",
" <th>access_key_1_active</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" <th>access_key_1_last_used_date</th>\n",
" <th>access_key_1_last_used_region</th>\n",
" <th>access_key_1_last_used_service</th>\n",
" <th>access_key_2_active</th>\n",
" <th>access_key_2_last_rotated</th>\n",
" <th>access_key_2_last_used_date</th>\n",
" <th>access_key_2_last_used_region</th>\n",
" <th>access_key_2_last_used_service</th>\n",
" <th>cert_1_active</th>\n",
" <th>cert_1_last_rotated</th>\n",
" <th>cert_2_active</th>\n",
" <th>cert_2_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>&lt;root_account&gt;</td>\n",
" <td>arn:aws:iam::833730960164:root</td>\n",
" <td>2018-10-06T12:21:02+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>2019-02-14T13:11:52+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>not_supported</td>\n",
" <td>false</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" </tr>\n",
" <tr>\n",
" <td>elasticcrew</td>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>2018-10-06T18:57:13+00:00</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>true</td>\n",
" <td>2018-10-06T18:57:13+00:00</td>\n",
" <td>2019-01-30T21:55:00+00:00</td>\n",
" <td>us-east-1</td>\n",
" <td>s3</td>\n",
" <td>true</td>\n",
" <td>2018-10-07T21:40:33+00:00</td>\n",
" <td>2019-02-13T14:08:00+00:00</td>\n",
" <td>us-east-1</td>\n",
" <td>sts</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" </tr>\n",
" <tr>\n",
" <td>virclopad</td>\n",
" <td>arn:aws:iam::833730960164:user/virclopad</td>\n",
" <td>2018-10-06T19:32:12+00:00</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>true</td>\n",
" <td>2018-10-06T19:32:13+00:00</td>\n",
" <td>2019-02-14T13:18:00+00:00</td>\n",
" <td>us-east-1</td>\n",
" <td>iam</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display(HTML(iamdf.to_html(index=False, justify=\"left\")))\n"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### Users for which MFA is not active AND password is enabled "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>password_enabled</th>\n",
" <th>password_last_used</th>\n",
" <th>password_last_changed</th>\n",
" <th>password_next_rotation</th>\n",
" <th>mfa_active</th>\n",
" <th>access_key_1_active</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" <th>access_key_1_last_used_date</th>\n",
" <th>access_key_1_last_used_region</th>\n",
" <th>access_key_1_last_used_service</th>\n",
" <th>access_key_2_active</th>\n",
" <th>access_key_2_last_rotated</th>\n",
" <th>access_key_2_last_used_date</th>\n",
" <th>access_key_2_last_used_region</th>\n",
" <th>access_key_2_last_used_service</th>\n",
" <th>cert_1_active</th>\n",
" <th>cert_1_last_rotated</th>\n",
" <th>cert_2_active</th>\n",
" <th>cert_2_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>&lt;root_account&gt;</td>\n",
" <td>arn:aws:iam::833730960164:root</td>\n",
" <td>2018-10-06T12:21:02+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>2019-02-14T13:11:52+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>not_supported</td>\n",
" <td>false</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"\n",
"display ( md(\"\"\" ##### Users for which MFA is not active AND password is enabled \"\"\"))\n",
"iamdf.mfa_active = iamdf.mfa_active.astype(str)\n",
"iamdf_mfa = iamdf [ iamdf.mfa_active.str.contains (\"false\") & ~iamdf.password_enabled.str.contains (\"false\") ]\n",
"display(HTML(iamdf_mfa.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### Users Access Keys are not rotated in the last 90 days "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>elasticcrew</td>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>2018-10-06T18:57:13+00:00</td>\n",
" <td>2018-10-06T18:57:13+00:00</td>\n",
" </tr>\n",
" <tr>\n",
" <td>virclopad</td>\n",
" <td>arn:aws:iam::833730960164:user/virclopad</td>\n",
" <td>2018-10-06T19:32:12+00:00</td>\n",
" <td>2018-10-06T19:32:13+00:00</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iamdf = oiamdf.copy()\n",
"display ( md(\"\"\" ##### Users Access Keys are not rotated in the last 90 days \"\"\"))\n",
"iamdf_access = iamdf [~iamdf.access_key_1_last_rotated.str.contains(\"N/A\")]\n",
"iamdf_access = iamdf_access [~iamdf_access.access_key_1_last_rotated.str.contains(\"not\")]\n",
"\n",
"iamdf.mfa_active = iamdf.mfa_active.astype(str)\n",
"num_days = \"90\"\n",
"\n",
"# get the dataframe of services who have not accessed in the last 120 days\n",
"#iid_df_nla = iid_df[pd.to_datetime(iid_df.LastAuthenticated) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\")]\n",
"iamdf_access = iamdf_access [ pd.to_datetime(iamdf_access.access_key_1_last_rotated) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\") ]\n",
"iamdf_access = iamdf_access [[ \"user\", \"arn\" , \"user_creation_time\",\"access_key_1_last_rotated\" ]]\n",
"display(HTML(iamdf_access.to_html(index=False, justify=\"left\")))\n"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### Users where password is not changed in the last 90 days "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"[]\n"
]
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>password_enabled</th>\n",
" <th>password_last_used</th>\n",
" <th>password_last_changed</th>\n",
" <th>password_next_rotation</th>\n",
" <th>mfa_active</th>\n",
" <th>access_key_1_active</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" <th>access_key_1_last_used_date</th>\n",
" <th>access_key_1_last_used_region</th>\n",
" <th>access_key_1_last_used_service</th>\n",
" <th>access_key_2_active</th>\n",
" <th>access_key_2_last_rotated</th>\n",
" <th>access_key_2_last_used_date</th>\n",
" <th>access_key_2_last_used_region</th>\n",
" <th>access_key_2_last_used_service</th>\n",
" <th>cert_1_active</th>\n",
" <th>cert_1_last_rotated</th>\n",
" <th>cert_2_active</th>\n",
" <th>cert_2_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"iamdf = oiamdf.copy()\n",
"display ( md(\"\"\" ##### Users where password is not changed in the last 90 days \"\"\"))\n",
"iamdf.password_last_changed = iamdf.password_last_changed.astype(str)\n",
"iamdf_pass = iamdf [~iamdf.password_last_changed.str.contains(\"N\")]\n",
"iamdf_pass = iamdf_pass [~iamdf_pass.password_last_changed.str.contains(\"not\")]\n",
"\n",
"print (iamdf_pass.password_last_changed.tolist())\n",
"\n",
"iamdf_pass.password_last_changed = pd.to_datetime (iamdf_pass.password_last_changed)\n",
"num_days = \"90\"\n",
"\n",
"# get the dataframe of services who have not accessed in the last 120 days\n",
"#iid_df_nla = iid_df[pd.to_datetime(iid_df.LastAuthenticated) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\")]\n",
"iamdf_pass = iamdf_pass [ pd.to_datetime(iamdf_pass.password_last_changed) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\") ]\n",
"#iamdf_access = iamdf_access [[ \"user\", \"arn\" , \"user_creation_time\",\"access_key_1_last_rotated\" ]]\n",
"display(HTML(iamdf_pass.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### Access keys not enabled for Root Account "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>password_enabled</th>\n",
" <th>password_last_used</th>\n",
" <th>password_last_changed</th>\n",
" <th>password_next_rotation</th>\n",
" <th>mfa_active</th>\n",
" <th>access_key_1_active</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" <th>access_key_1_last_used_date</th>\n",
" <th>access_key_1_last_used_region</th>\n",
" <th>access_key_1_last_used_service</th>\n",
" <th>access_key_2_active</th>\n",
" <th>access_key_2_last_rotated</th>\n",
" <th>access_key_2_last_used_date</th>\n",
" <th>access_key_2_last_used_region</th>\n",
" <th>access_key_2_last_used_service</th>\n",
" <th>cert_1_active</th>\n",
" <th>cert_1_last_rotated</th>\n",
" <th>cert_2_active</th>\n",
" <th>cert_2_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>&lt;root_account&gt;</td>\n",
" <td>arn:aws:iam::833730960164:root</td>\n",
" <td>2018-10-06T12:21:02+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>2019-02-14T13:11:52+00:00</td>\n",
" <td>not_supported</td>\n",
" <td>not_supported</td>\n",
" <td>false</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" <td>false</td>\n",
" <td>N/A</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" ##### Access keys not enabled for Root Account \"\"\"))\n",
"\n",
"iamdf_root = iamdf [iamdf.user.str.contains(\"root\")]\n",
"\n",
"iamdf_root = iamdf_root [ iamdf_root.access_key_1_active.str.contains (\"false\") & iamdf_root.access_key_2_active.str.contains (\"false\") ]\n",
"\n",
"\n",
"iamdf_pass = iamdf_pass [ pd.to_datetime(iamdf_pass.password_last_changed) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\") ]\n",
"#iamdf_access = iamdf_access [[ \"user\", \"arn\" , \"user_creation_time\",\"access_key_1_last_rotated\" ]]\n",
"display(HTML(iamdf_root.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" ##### MFA enabled for Root Account "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"[]\n"
]
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>user</th>\n",
" <th>arn</th>\n",
" <th>user_creation_time</th>\n",
" <th>password_enabled</th>\n",
" <th>password_last_used</th>\n",
" <th>password_last_changed</th>\n",
" <th>password_next_rotation</th>\n",
" <th>mfa_active</th>\n",
" <th>access_key_1_active</th>\n",
" <th>access_key_1_last_rotated</th>\n",
" <th>access_key_1_last_used_date</th>\n",
" <th>access_key_1_last_used_region</th>\n",
" <th>access_key_1_last_used_service</th>\n",
" <th>access_key_2_active</th>\n",
" <th>access_key_2_last_rotated</th>\n",
" <th>access_key_2_last_used_date</th>\n",
" <th>access_key_2_last_used_region</th>\n",
" <th>access_key_2_last_used_service</th>\n",
" <th>cert_1_active</th>\n",
" <th>cert_1_last_rotated</th>\n",
" <th>cert_2_active</th>\n",
" <th>cert_2_last_rotated</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" ##### MFA enabled for Root Account \"\"\"))\n",
"iamdf.password_last_changed = iamdf.password_last_changed.astype(str)\n",
"iamdf_pass = iamdf [~iamdf.password_last_changed.str.contains(\"N\")]\n",
"iamdf_pass = iamdf_pass [~iamdf_pass.password_last_changed.str.contains(\"not\")]\n",
"\n",
"print (iamdf_pass.password_last_changed.tolist())\n",
"\n",
"iamdf_pass.password_last_changed = pd.to_datetime (iamdf_pass.password_last_changed)\n",
"num_days = \"90\"\n",
"\n",
"# get the dataframe of services who have not accessed in the last 120 days\n",
"#iid_df_nla = iid_df[pd.to_datetime(iid_df.LastAuthenticated) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\")]\n",
"iamdf_pass = iamdf_pass [ pd.to_datetime(iamdf_pass.password_last_changed) < datetime.datetime.now() - pd.to_timedelta(num_days+\"day\") ]\n",
"#iamdf_access = iamdf_access [[ \"user\", \"arn\" , \"user_creation_time\",\"access_key_1_last_rotated\" ]]\n",
"display(HTML(iamdf_pass.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Check Password Policy for\n",
" * Expire passwords\n",
" * Minimum password length\n",
" * Require symbols\n",
" * Require Uppercase Characters"
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>AllowUsersToChangePassword</th>\n",
" <th>ExpirePasswords</th>\n",
" <th>HardExpiry</th>\n",
" <th>MaxPasswordAge</th>\n",
" <th>MinimumPasswordLength</th>\n",
" <th>RequireLowercaseCharacters</th>\n",
" <th>RequireNumbers</th>\n",
" <th>RequireSymbols</th>\n",
" <th>RequireUppercaseCharacters</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>True</td>\n",
" <td>True</td>\n",
" <td>False</td>\n",
" <td>120</td>\n",
" <td>6</td>\n",
" <td>True</td>\n",
" <td>True</td>\n",
" <td>False</td>\n",
" <td>True</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"\n",
"iam_pass_df = pd.DataFrame (iam_client.get_account_password_policy()['PasswordPolicy'], index=[0])\n",
"display(HTML(iam_pass_df.to_html(index=False, justify=\"left\")))\n",
"\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## IAM Policy Analysis\n",
"This section parses through each of the policies and gets policies matching a particular service or Resource or `*` "
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [],
"source": [
"(df, dfu) = iam_analyze.prepare_role_df()"
]
},
{
"cell_type": "code",
"execution_count": 21,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" #### All Roles with Attached policies "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>create_date</th>\n",
" <th>role_name</th>\n",
" <th>principal_arr</th>\n",
" <th>attached_policies</th>\n",
" <th>inline_policies</th>\n",
" <th>inline_statements</th>\n",
" <th>inline_resources</th>\n",
" <th>attached_statements</th>\n",
" <th>attached_resources</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>2018-11-20 16:56:06+00:00</td>\n",
" <td>adminrole</td>\n",
" <td>{'Service': 'lambda.amazonaws.com'}</td>\n",
" <td>[AdministratorAccess]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-11-27 20:23:25+00:00</td>\n",
" <td>AmazonSageMaker-ExecutionRole-20181127T152303</td>\n",
" <td>{'Service': 'sagemaker.amazonaws.com'}</td>\n",
" <td>[AmazonSageMaker-ExecutionPolicy-20181127T152303, AdministratorAccess, AmazonSageMakerFullAccess]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2019-01-14 19:37:44+00:00</td>\n",
" <td>AWSServiceRoleForAmazonGuardDuty</td>\n",
" <td>{'Service': 'guardduty.amazonaws.com'}</td>\n",
" <td>[AmazonGuardDutyServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-12-12 20:03:25+00:00</td>\n",
" <td>AWSServiceRoleForAmazonInspector</td>\n",
" <td>{'Service': 'inspector.amazonaws.com'}</td>\n",
" <td>[AmazonInspectorServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-07 14:42:57+00:00</td>\n",
" <td>AWSServiceRoleForECS</td>\n",
" <td>{'Service': 'ecs.amazonaws.com'}</td>\n",
" <td>[AmazonECSServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2019-01-03 09:35:29+00:00</td>\n",
" <td>AWSServiceRoleForOrganizations</td>\n",
" <td>{'Service': 'organizations.amazonaws.com'}</td>\n",
" <td>[AWSOrganizationsServiceTrustPolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-11-28 17:47:24+00:00</td>\n",
" <td>AWSServiceRoleForSecurityHub</td>\n",
" <td>{'Service': 'securityhub.amazonaws.com'}</td>\n",
" <td>[AWSSecurityHubServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 12:21:02+00:00</td>\n",
" <td>AWSServiceRoleForSupport</td>\n",
" <td>{'Service': 'support.amazonaws.com'}</td>\n",
" <td>[AWSSupportServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 12:21:02+00:00</td>\n",
" <td>AWSServiceRoleForTrustedAdvisor</td>\n",
" <td>{'Service': 'trustedadvisor.amazonaws.com'}</td>\n",
" <td>[AWSTrustedAdvisorServiceRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-12-12 20:03:26+00:00</td>\n",
" <td>AWS_InspectorEvents_Invoke_Assessment_Template</td>\n",
" <td>{'Service': 'events.amazonaws.com'}</td>\n",
" <td>[]</td>\n",
" <td>[AWS_Allow_Inspector_Assessment]</td>\n",
" <td>[[inspector:StartAssessmentRun]]</td>\n",
" <td>[*]</td>\n",
" <td>[[inspector:StartAssessmentRun]]</td>\n",
" <td>[*]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2019-01-14 20:51:17+00:00</td>\n",
" <td>cgnotebookrole</td>\n",
" <td>{'AWS': 'arn:aws:iam::833730960164:user/elasticcrew', 'Service': ['events.amazonaws.com', 'lambda.amazonaws.com', 'apigateway.amazonaws.com', 'sagemaker.amazonaws.com', 'config.amazonaws.com']}</td>\n",
" <td>[AdministratorAccess, SecurityAudit]</td>\n",
" <td>[cg-audit-policy, cg-cfexplore-policy, cg-cwmonitor-policy, cg-global-policy, cg-spend-policy]</td>\n",
" <td>[[logs:DescribeLogGroups, logs:DescribeMetricFilters], [config:Get*, config:Describe*, config:Deliver*, config:List*, config:StartConfigurationRecorder, config:DeleteConfigurationRecorder, config:DeleteDeliveryChannel, config:PutConfigurationRecorder, config:StopConfigurationRecorder, config:PutDeliveryChannel, tag:GetResources, tag:GetTagKeys, ec2:Describe*, rds:Describe*, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:LookupEvents], [s3:*], [s3:*], [events:*], [s3:*], [sns:*], [sqs:*], [iam:Get*, iam:List*, iam:Read*], [sagemaker:*], [securityhub:*, guardduty:*], [inspector:*], [iam:PassRole, iam:GetRole, iam:GetRolePolicy, iam:PutRolePolicy], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [s3:List*], [s3:*], [events:DescribeRule, events:ListRules, events:ListTargetsByRule, events:ListRuleNamesByTarget, events:PutRule, events:PutTargets, events:RemoveTargets, events:DeleteRule], [ec2:DescribeRegions, ec2:DescribeInstances], [events:ListRuleNamesByTarget, events:ListRules], [lambda:AddPermission, lambda:CreateFunction, lambda:DeleteFunction, lambda:GetFunction, lambda:GetPolicy, lambda:ListVersionsByFunction, lambda:RemovePermission, lambda:UpdateFunctionCode, lambda:GetFunctionConfiguration, lambda:UpdateFunctionConfiguration, lambda:InvokeFunction, lambda:CreateEventSourceMapping, lambda:DeleteEventSourceMapping, lambda:PutFunctionConcurrency, lambda:UpdateEventSourceMapping], [lambda:TagResource], [ce:*], [cloudformation:*], [apigateway:DELETE, apigateway:GET, apigateway:PATCH, apigateway:POST, apigateway:PUT], [apigateway:POST], [Organizations:List*, Organizations:Describe*, rds:Describe*, rds:ListTagsForResource, ec2:Describe*, redshift:Describe*, elasticache:Describe*, cloudfront:List*, cloudfront:GetDistributionConfig, cloudfront:GetStreamingDistributionConfig, dynamodb:ListTables, dynamodb:DescribeTable, dynamodb:ListTagsOfResource, ses:SendRawEmail, ses:SendEmail]]</td>\n",
" <td>[*, [*], [arn:aws:s3:::cloudgovernor-833730960164, arn:aws:s3:::cloudgovernor-*], [arn:aws:s3:::cloudgovernor-833730960164/*, arn:aws:s3:::cloudgovernor-*/*], [arn:aws:events:*:833730960164:rule/cg-833730960164-*, arn:aws:events:*:833730960164:rule/*.keep_warm_callback], [arn:aws:s3:::cloudgovernor, arn:aws:s3:::cloudgovernor/*], arn:aws:sns:*:*:cg-*, arn:aws:sqs:*:*:cg-*, [*], [*], [*], [*], [arn:aws:iam::833730960164:role/cgnotebookrole], [arn:aws:logs:*:833730960164:log-group:/aws/lambda/cg-833730960164*], [arn:aws:logs:*:833730960164:log-group:/aws/sagemaker/*], [arn:aws:s3:::virclop*], [arn:aws:s3:::virclop*/*], [arn:aws:events:*:833730960164:rule/*.keep_warm_callback], *, [arn:aws:events:*:833730960164:rule/*], [arn:aws:lambda:*:833730960164:function:cg-833730960164], *, [*], [arn:aws:cloudformation:*:833730960164:stack/cg-833730960164*], [*], [arn:aws:apigateway:*::/restapis*], [*]]</td>\n",
" <td>[[logs:DescribeLogGroups, logs:DescribeMetricFilters], [config:Get*, config:Describe*, config:Deliver*, config:List*, config:StartConfigurationRecorder, config:DeleteConfigurationRecorder, config:DeleteDeliveryChannel, config:PutConfigurationRecorder, config:StopConfigurationRecorder, config:PutDeliveryChannel, tag:GetResources, tag:GetTagKeys, ec2:Describe*, rds:Describe*, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:LookupEvents], [s3:*], [s3:*], [events:*], [s3:*], [sns:*], [sqs:*], [iam:Get*, iam:List*, iam:Read*], [sagemaker:*], [securityhub:*, guardduty:*], [inspector:*], [iam:PassRole, iam:GetRole, iam:GetRolePolicy, iam:PutRolePolicy], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [s3:List*], [s3:*], [events:DescribeRule, events:ListRules, events:ListTargetsByRule, events:ListRuleNamesByTarget, events:PutRule, events:PutTargets, events:RemoveTargets, events:DeleteRule], [ec2:DescribeRegions, ec2:DescribeInstances], [events:ListRuleNamesByTarget, events:ListRules], [lambda:AddPermission, lambda:CreateFunction, lambda:DeleteFunction, lambda:GetFunction, lambda:GetPolicy, lambda:ListVersionsByFunction, lambda:RemovePermission, lambda:UpdateFunctionCode, lambda:GetFunctionConfiguration, lambda:UpdateFunctionConfiguration, lambda:InvokeFunction, lambda:CreateEventSourceMapping, lambda:DeleteEventSourceMapping, lambda:PutFunctionConcurrency, lambda:UpdateEventSourceMapping], [lambda:TagResource], [ce:*], [cloudformation:*], [apigateway:DELETE, apigateway:GET, apigateway:PATCH, apigateway:POST, apigateway:PUT], [apigateway:POST], [Organizations:List*, Organizations:Describe*, rds:Describe*, rds:ListTagsForResource, ec2:Describe*, redshift:Describe*, elasticache:Describe*, cloudfront:List*, cloudfront:GetDistributionConfig, cloudfront:GetStreamingDistributionConfig, dynamodb:ListTables, dynamodb:DescribeTable, dynamodb:ListTagsOfResource, ses:SendRawEmail, ses:SendEmail]]</td>\n",
" <td>[*, [*], [arn:aws:s3:::cloudgovernor-833730960164, arn:aws:s3:::cloudgovernor-*], [arn:aws:s3:::cloudgovernor-833730960164/*, arn:aws:s3:::cloudgovernor-*/*], [arn:aws:events:*:833730960164:rule/cg-833730960164-*, arn:aws:events:*:833730960164:rule/*.keep_warm_callback], [arn:aws:s3:::cloudgovernor, arn:aws:s3:::cloudgovernor/*], arn:aws:sns:*:*:cg-*, arn:aws:sqs:*:*:cg-*, [*], [*], [*], [*], [arn:aws:iam::833730960164:role/cgnotebookrole], [arn:aws:logs:*:833730960164:log-group:/aws/lambda/cg-833730960164*], [arn:aws:logs:*:833730960164:log-group:/aws/sagemaker/*], [arn:aws:s3:::virclop*], [arn:aws:s3:::virclop*/*], [arn:aws:events:*:833730960164:rule/*.keep_warm_callback], *, [arn:aws:events:*:833730960164:rule/*], [arn:aws:lambda:*:833730960164:function:cg-833730960164], *, [*], [arn:aws:cloudformation:*:833730960164:stack/cg-833730960164*], [*], [arn:aws:apigateway:*::/restapis*], [*]]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2019-01-28 17:46:54+00:00</td>\n",
" <td>cgrole</td>\n",
" <td>{'AWS': 'arn:aws:iam::833730960164:user/elasticcrew', 'Service': ['events.amazonaws.com', 'lambda.amazonaws.com', 'sagemaker.amazonaws.com', 'apigateway.amazonaws.com', 'config.amazonaws.com']}</td>\n",
" <td>[AdministratorAccess, SecurityAudit]</td>\n",
" <td>[cg-audit-policy, cg-cfexplore-policy, cg-ctexplore-policy, cg-cwmonitor-policy, cg-global-policy, cg-spend-policy]</td>\n",
" <td>[[logs:DescribeLogGroups, logs:DescribeMetricFilters], [config:Get*, config:Describe*, config:Deliver*, config:List*, config:StartConfigurationRecorder, config:DeleteConfigurationRecorder, config:DeleteDeliveryChannel, config:PutConfigurationRecorder, config:StopConfigurationRecorder, config:PutDeliveryChannel, tag:GetResources, tag:GetTagKeys, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:LookupEvents], [s3:*], [s3:*], [s3:*], [events:*], [s3:*], [sns:*], [sqs:*], [iam:Get*, iam:List*, iam:Read*], [iam:PassRole, iam:GetRole, iam:GetRolePolicy, iam:PutRolePolicy], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [s3:List*], [s3:Get*], [events:DescribeRule, events:ListRules, events:ListTargetsByRule, events:ListRuleNamesByTarget, events:PutRule, events:PutTargets, events:RemoveTargets, events:DeleteRule], [ec2:DescribeRegions, ec2:DescribeInstances], [events:ListRuleNamesByTarget, events:ListRules], [lambda:AddPermission, lambda:CreateFunction, lambda:DeleteFunction, lambda:GetFunction, lambda:GetPolicy, lambda:ListVersionsByFunction, lambda:RemovePermission, lambda:UpdateFunctionCode, lambda:GetFunctionConfiguration, lambda:UpdateFunctionConfiguration, lambda:InvokeFunction, lambda:CreateEventSourceMapping, lambda:DeleteEventSourceMapping, lambda:PutFunctionConcurrency, lambda:UpdateEventSourceMapping], [lambda:TagResource], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [ce:*], [cloudformation:*], [apigateway:DELETE, apigateway:GET, apigateway:PATCH, apigateway:POST, apigateway:PUT], [apigateway:POST], [Organizations:List*, Organizations:Describe*, rds:Describe*, rds:ListTagsForResource, ec2:Describe*, redshift:Describe*, elasticache:Describe*, cloudfront:List*, cloudfront:GetDistributionConfig, cloudfront:GetStreamingDistributionConfig, dynamodb:ListTables, dynamodb:DescribeTable, dynamodb:ListTagsOfResource, ses:SendRawEmail, ses:SendEmail]]</td>\n",
" <td>[*, [*], [arn:aws:s3:::cloudgovernor-833730960164, arn:aws:s3:::cloudgovernor-*], [arn:aws:s3:::cloudgovernor-833730960164/*, arn:aws:s3:::cloudgovernor-*/*], [arn:aws:s3:::vircloptrail, arn:aws:s3:::vircloptrail/*], [arn:aws:events:*:833730960164:rule/cg-833730960164-*, arn:aws:events:*:833730960164:rule/*.keep_warm_callback], [arn:aws:s3:::cloudgovernor, arn:aws:s3:::cloudgovernor/*], arn:aws:sns:*:*:cg-*, arn:aws:sqs:*:*:cg-*, [*], [arn:aws:iam::833730960164:role/cgrole], [arn:aws:logs:*:833730960164:log-group:/aws/lambda/cg-833730960164*], [arn:aws:s3:::virclop*], [arn:aws:s3:::virclop*/*], [arn:aws:events:*:833730960164:rule/*.keep_warm_callback], *, [arn:aws:events:*:833730960164:rule/*], [arn:aws:lambda:*:833730960164:function:cg-833730960164], *, [arn:aws:s3:::virclopbilling], [arn:aws:s3:::virclopbilling/*], [arn:aws:s3:::cloudgovernor-833730960164-config], [arn:aws:s3:::cloudgovernor-833730960164-config/*], [*], [arn:aws:cloudformation:*:833730960164:stack/cg-833730960164*], [*], [arn:aws:apigateway:*::/restapis*], [*]]</td>\n",
" <td>[[logs:DescribeLogGroups, logs:DescribeMetricFilters], [config:Get*, config:Describe*, config:Deliver*, config:List*, config:StartConfigurationRecorder, config:DeleteConfigurationRecorder, config:DeleteDeliveryChannel, config:PutConfigurationRecorder, config:StopConfigurationRecorder, config:PutDeliveryChannel, tag:GetResources, tag:GetTagKeys, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:LookupEvents], [s3:*], [s3:*], [s3:*], [events:*], [s3:*], [sns:*], [sqs:*], [iam:Get*, iam:List*, iam:Read*], [iam:PassRole, iam:GetRole, iam:GetRolePolicy, iam:PutRolePolicy], [logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:FilterLogEvents, logs:DeleteLogGroup], [s3:List*], [s3:Get*], [events:DescribeRule, events:ListRules, events:ListTargetsByRule, events:ListRuleNamesByTarget, events:PutRule, events:PutTargets, events:RemoveTargets, events:DeleteRule], [ec2:DescribeRegions, ec2:DescribeInstances], [events:ListRuleNamesByTarget, events:ListRules], [lambda:AddPermission, lambda:CreateFunction, lambda:DeleteFunction, lambda:GetFunction, lambda:GetPolicy, lambda:ListVersionsByFunction, lambda:RemovePermission, lambda:UpdateFunctionCode, lambda:GetFunctionConfiguration, lambda:UpdateFunctionConfiguration, lambda:InvokeFunction, lambda:CreateEventSourceMapping, lambda:DeleteEventSourceMapping, lambda:PutFunctionConcurrency, lambda:UpdateEventSourceMapping], [lambda:TagResource], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [s3:GetBucketNotification, s3:PutBucketNotificationConfiguration, s3:ObjectCreated*, s3:ListObjects, s3:GetObject, s3:PutBucketNotification, s3:GetBucketLocation, s3:List*], [ce:*], [cloudformation:*], [apigateway:DELETE, apigateway:GET, apigateway:PATCH, apigateway:POST, apigateway:PUT], [apigateway:POST], [Organizations:List*, Organizations:Describe*, rds:Describe*, rds:ListTagsForResource, ec2:Describe*, redshift:Describe*, elasticache:Describe*, cloudfront:List*, cloudfront:GetDistributionConfig, cloudfront:GetStreamingDistributionConfig, dynamodb:ListTables, dynamodb:DescribeTable, dynamodb:ListTagsOfResource, ses:SendRawEmail, ses:SendEmail]]</td>\n",
" <td>[*, [*], [arn:aws:s3:::cloudgovernor-833730960164, arn:aws:s3:::cloudgovernor-*], [arn:aws:s3:::cloudgovernor-833730960164/*, arn:aws:s3:::cloudgovernor-*/*], [arn:aws:s3:::vircloptrail, arn:aws:s3:::vircloptrail/*], [arn:aws:events:*:833730960164:rule/cg-833730960164-*, arn:aws:events:*:833730960164:rule/*.keep_warm_callback], [arn:aws:s3:::cloudgovernor, arn:aws:s3:::cloudgovernor/*], arn:aws:sns:*:*:cg-*, arn:aws:sqs:*:*:cg-*, [*], [arn:aws:iam::833730960164:role/cgrole], [arn:aws:logs:*:833730960164:log-group:/aws/lambda/cg-833730960164*], [arn:aws:s3:::virclop*], [arn:aws:s3:::virclop*/*], [arn:aws:events:*:833730960164:rule/*.keep_warm_callback], *, [arn:aws:events:*:833730960164:rule/*], [arn:aws:lambda:*:833730960164:function:cg-833730960164], *, [arn:aws:s3:::virclopbilling], [arn:aws:s3:::virclopbilling/*], [arn:aws:s3:::cloudgovernor-833730960164-config], [arn:aws:s3:::cloudgovernor-833730960164-config/*], [*], [arn:aws:cloudformation:*:833730960164:stack/cg-833730960164*], [*], [arn:aws:apigateway:*::/restapis*], [*]]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-07 18:35:57+00:00</td>\n",
" <td>ecsTaskExecutionRole</td>\n",
" <td>{'Service': 'ecs-tasks.amazonaws.com'}</td>\n",
" <td>[ecs-task-execution, AmazonDynamoDBFullAccess, AdministratorAccess, AmazonECSTaskExecutionRolePolicy]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 19:38:18+00:00</td>\n",
" <td>slackapp-virclop-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 19:34:43+00:00</td>\n",
" <td>slackapp-virclopslackapp-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-23 22:59:01+00:00</td>\n",
" <td>virclop-admininstall-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 20:44:37+00:00</td>\n",
" <td>virclop-cftresponder-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[ecs-task-execution, AmazonECS_FullAccess, AmazonECSTaskExecutionRolePolicy]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-16 18:28:58+00:00</td>\n",
" <td>virclop-sendgrid-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-06 19:42:09+00:00</td>\n",
" <td>virclop-slackappinstall-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>2018-10-17 12:25:34+00:00</td>\n",
" <td>virclop-slashcommand-ZappaLambdaExecutionRole</td>\n",
" <td>{'Service': ['events.amazonaws.com', 'apigateway.amazonaws.com', 'lambda.amazonaws.com']}</td>\n",
" <td>[]</td>\n",
" <td>[zappa-permissions]</td>\n",
" <td>[[logs:*], [lambda:InvokeFunction], [xray:PutTraceSegments, xray:PutTelemetryRecords], [ec2:AttachNetworkInterface, ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeInstances, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface, ec2:ModifyNetworkInterfaceAttribute, ec2:ResetNetworkInterfaceAttribute], [s3:*], [kinesis:*], [sns:*], [sqs:*], [dynamodb:*], [route53:*]]</td>\n",
" <td>[arn:aws:logs:*:*:*, [*], [*], *, arn:aws:s3:::*, arn:aws:kinesis:*:*:*, arn:aws:sns:*:*:*, arn:aws:sqs:*:*:*, arn:aws:dynamodb:*:*:*, *]</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" <tr>\n",
" <td>NaT</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>NaN</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" #### All Roles with Attached policies \"\"\") )\n",
"display(HTML(df.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" #### All Users with Attached policies "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>AttachedManagedPolicies</th>\n",
" <th>CreateDate</th>\n",
" <th>GroupList</th>\n",
" <th>Path</th>\n",
" <th>Tags</th>\n",
" <th>UserId</th>\n",
" <th>UserName</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>[{'PolicyName': 'AmazonS3FullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonS3FullAccess'}, {'PolicyName': 'AmazonDynamoDBFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSSMFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSSMFullAccess'}, {'PolicyName': 'XAccountAssume', 'PolicyArn': 'arn:aws:iam::833730960164:policy/XAccountAssume'}, {'PolicyName': 'S3RW', 'PolicyArn': 'arn:aws:iam::833730960164:policy/S3RW'}]</td>\n",
" <td>2018-10-06 18:57:13+00:00</td>\n",
" <td>[]</td>\n",
" <td>/</td>\n",
" <td>[]</td>\n",
" <td>AIDAJEOBJDN3QZW2MSBGA</td>\n",
" <td>elasticcrew</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/virclopad</td>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>2018-10-06 19:32:12+00:00</td>\n",
" <td>[]</td>\n",
" <td>/</td>\n",
" <td>[]</td>\n",
" <td>AIDAISZQ73TTRN5WNYHY6</td>\n",
" <td>virclopad</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" #### All Users with Attached policies \"\"\") )\n",
"display(HTML(dfu.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" #### All Roles with Policy Full S3 Access "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>AttachedManagedPolicies</th>\n",
" <th>CreateDate</th>\n",
" <th>GroupList</th>\n",
" <th>Path</th>\n",
" <th>Tags</th>\n",
" <th>UserId</th>\n",
" <th>UserName</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>[{'PolicyName': 'AmazonS3FullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonS3FullAccess'}, {'PolicyName': 'AmazonDynamoDBFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSSMFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSSMFullAccess'}, {'PolicyName': 'XAccountAssume', 'PolicyArn': 'arn:aws:iam::833730960164:policy/XAccountAssume'}, {'PolicyName': 'S3RW', 'PolicyArn': 'arn:aws:iam::833730960164:policy/S3RW'}]</td>\n",
" <td>2018-10-06 18:57:13+00:00</td>\n",
" <td>[]</td>\n",
" <td>/</td>\n",
" <td>[]</td>\n",
" <td>AIDAJEOBJDN3QZW2MSBGA</td>\n",
" <td>elasticcrew</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" #### All Roles with Policy Full S3 Access \"\"\"))\n",
"\n",
"dfu.AttachedManagedPolicies = dfu.AttachedManagedPolicies.astype(str)\n",
"dfs3 = dfu[dfu.AttachedManagedPolicies.str.contains(\"AmazonS3FullAccess\", na=False) ]\n",
"display(HTML(dfs3.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": 29,
"metadata": {},
"outputs": [
{
"data": {
"text/markdown": [
" #### All Roles with Policy Full Administrator Access "
],
"text/plain": [
"<IPython.core.display.Markdown object>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/html": [
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: left;\">\n",
" <th>Arn</th>\n",
" <th>AttachedManagedPolicies</th>\n",
" <th>CreateDate</th>\n",
" <th>GroupList</th>\n",
" <th>Path</th>\n",
" <th>Tags</th>\n",
" <th>UserId</th>\n",
" <th>UserName</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/elasticcrew</td>\n",
" <td>[{'PolicyName': 'AmazonS3FullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonS3FullAccess'}, {'PolicyName': 'AmazonDynamoDBFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'}, {'PolicyName': 'AdministratorAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}, {'PolicyName': 'AmazonSSMFullAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonSSMFullAccess'}, {'PolicyName': 'XAccountAssume', 'PolicyArn': 'arn:aws:iam::833730960164:policy/XAccountAssume'}, {'PolicyName': 'S3RW', 'PolicyArn': 'arn:aws:iam::833730960164:policy/S3RW'}]</td>\n",
" <td>2018-10-06 18:57:13+00:00</td>\n",
" <td>[]</td>\n",
" <td>/</td>\n",
" <td>[]</td>\n",
" <td>AIDAJEOBJDN3QZW2MSBGA</td>\n",
" <td>elasticcrew</td>\n",
" </tr>\n",
" <tr>\n",
" <td>arn:aws:iam::833730960164:user/virclopad</td>\n",
" <td>[{'PolicyName': 'AdministratorAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'}]</td>\n",
" <td>2018-10-06 19:32:12+00:00</td>\n",
" <td>[]</td>\n",
" <td>/</td>\n",
" <td>[]</td>\n",
" <td>AIDAISZQ73TTRN5WNYHY6</td>\n",
" <td>virclopad</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>"
],
"text/plain": [
"<IPython.core.display.HTML object>"
]
},
"metadata": {},
"output_type": "display_data"
}
],
"source": [
"display ( md(\"\"\" #### All Roles with Policy Full Administrator Access \"\"\"))\n",
"\n",
"dfu.AttachedManagedPolicies = dfu.AttachedManagedPolicies.astype(str)\n",
"dfs3 = dfu[dfu.AttachedManagedPolicies.str.contains(\"AdministratorAccess\", na=False) ]\n",
"display(HTML(dfs3.to_html(index=False, justify=\"left\")))"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "conda_python3",
"language": "python",
"name": "conda_python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.6.5"
}
},
"nbformat": 4,
"nbformat_minor": 2
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment