{"id":37322156,"url":"https://github.com/pfrederiksen/aws-access-map","last_synced_at":"2026-01-16T03:21:22.539Z","repository":{"id":332181564,"uuid":"1133011562","full_name":"pfrederiksen/aws-access-map","owner":"pfrederiksen","description":"Instant 'who can reach this?' mapping for AWS resources. Find admin users, audit IAM policies, debug permissions. 100% free, runs locally, no AWS charges.","archived":false,"fork":false,"pushed_at":"2026-01-12T23:48:29.000Z","size":134,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-13T00:19:44.702Z","etag":null,"topics":["aws","aws-iam","cli","devops","golang","iam","permissions","security","security-audit","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pfrederiksen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-12T18:57:59.000Z","updated_at":"2026-01-12T23:48:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/pfrederiksen/aws-access-map","commit_stats":null,"previous_names":["pfrederiksen/aws-access-map"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/pfrederiksen/aws-access-map","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfrederiksen%2Faws-access-map","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfrederiksen%2Faws-access-map/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfrederiksen%2Faws-access-map/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfrederiksen%2Faws-access-map/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pfrederiksen","download_url":"https://codeload.github.com/pfrederiksen/aws-access-map/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfrederiksen%2Faws-access-map/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28477192,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T03:13:13.607Z","status":"ssl_error","status_checked_at":"2026-01-16T03:11:47.863Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-iam","cli","devops","golang","iam","permissions","security","security-audit","security-tools"],"created_at":"2026-01-16T03:21:21.829Z","updated_at":"2026-01-16T03:21:22.524Z","avatar_url":"https://github.com/pfrederiksen.png","language":"Go","readme":"# aws-access-map\n\n**Instant \"who can reach this?\" mapping for AWS resources.**\n\nOne command. One answer. No UI required.\n\n✅ **100% free** • ⚡ **3 second queries** • 🔒 **Local \u0026 private** • 📖 **Open source**\n\n---\n\n📚 **Documentation**: [Examples](docs/usage/EXAMPLES.md) · [Usage Guide](docs/usage/docs/usage/USAGE.md) · [Permissions](docs/usage/docs/usage/PERMISSIONS.md) · [Architecture](docs/development/CLAUDE.md) · [Testing](docs/development/TESTING.md)\n\n---\n\n## Why This Exists\n\nYou're debugging permissions at 2am. A contractor leaves tomorrow. Security audit Friday. You need to know **right now**:\n\n- \"Who has admin access to our AWS account?\"\n- \"Can this Lambda role access our production database?\"\n- \"Which services can decrypt our KMS key?\"\n\n**aws-access-map solves this:** CLI-first, fast, open-source. Answers in seconds.\n\n## What It Does\n\n```bash\n# Who has god-mode access?\naws-access-map who-can \"*\" --action \"*\"\n\n# Can this role access the database?\naws-access-map path \\\n  --from arn:aws:iam::ACCOUNT:role/Lambda \\\n  --to arn:aws:rds:...:db/prod \\\n  --action rds:Connect\n\n# Collect from entire organization (multi-account)\naws-access-map collect --all-accounts\n```\n\n**Handles the full AWS IAM policy evaluation model:**\n- ✅ **NotAction/NotResource** - inverse policy logic (v1.0.0)\n- ✅ Service Control Policies (SCPs) - organization-level\n- ✅ Permission boundaries - principal-level constraints\n- ✅ Session policies - temporary session constraints\n- ✅ Identity \u0026 resource policies\n- ✅ IAM groups - membership inheritance\n- ✅ Condition evaluation (22 operators: IP, MFA, dates, ARNs, etc.)\n- ✅ Multi-account via AWS Organizations\n- ✅ Incremental caching - 10x speedup\n- ✅ Policy simulation - test without AWS\n\n**Advanced Security Analysis (v1.0.0):**\n- 🔍 **13 Security Pattern Detectors** - Admin access, public exposure, privilege escalation, missing MFA, etc.\n- 📊 **Quantitative Risk Scoring** - Impact × Likelihood × Privilege calculations\n- 📋 **Compliance Reporting** - CIS AWS Foundations, PCI-DSS v3.2.1, SOC 2\n- 📈 **Access Matrices** - Principal × resource grids with CSV export\n\n## Installation\n\n### Homebrew (macOS/Linux) - Recommended\n```bash\nbrew tap pfrederiksen/tap\nbrew install aws-access-map\n```\n\n### Go Install\n```bash\ngo install github.com/pfrederiksen/aws-access-map/cmd/aws-access-map@latest\n```\n\n### Pre-built Binaries\nDownload from [releases](https://github.com/pfrederiksen/aws-access-map/releases).\n\n### From Source\n```bash\ngit clone https://github.com/pfrederiksen/aws-access-map\ncd aws-access-map\nmake build\n./build/aws-access-map --help\n```\n\n## Quick Start\n\n**Prerequisites:** AWS credentials configured (environment variables, `~/.aws/credentials`, or IAM role).\n\n```bash\n# 1. Collect IAM data from your AWS account\naws-access-map collect\n\n# 2. Find who has admin access\naws-access-map who-can \"*\" --action \"*\"\n\n# 3. Check if a role can access S3\naws-access-map path \\\n  --from arn:aws:iam::123456789012:role/MyRole \\\n  --to arn:aws:s3:::my-bucket/* \\\n  --action s3:GetObject\n```\n\n**See [EXAMPLES.md](docs/usage/EXAMPLES.md) for real-world scenarios** (offboarding, debugging, audits, incident response).\n\n## Core Commands\n\n### `collect` - Fetch IAM Data\n```bash\n# Single account with auto-caching\naws-access-map collect\n\n# Organization-wide (all accounts)\naws-access-map collect --all-accounts\n\n# Force fresh data (bypass cache)\naws-access-map collect --no-cache\n\n# Include Service Control Policies\naws-access-map collect --include-scps\n```\n\n**Caching:** Data is automatically cached for 24 hours in `~/.aws-access-map/cache/`. Use `--cache` to force cache, `--no-cache` to bypass, or `--cache-ttl` to customize expiration.\n\n### `who-can` - Find Principals with Access\n```bash\n# Find admins\naws-access-map who-can \"*\" --action \"*\"\n\n# Find who can read S3 bucket\naws-access-map who-can \"arn:aws:s3:::my-bucket/*\" --action \"s3:GetObject\"\n\n# With condition context (IP, MFA, etc.)\naws-access-map who-can \"*\" --action \"*\" \\\n  --source-ip \"203.0.113.50\" \\\n  --mfa\n```\n\n### `path` - Discover Access Paths\n```bash\n# Find how principal reaches resource\naws-access-map path \\\n  --from arn:aws:iam::123456789012:role/AppRole \\\n  --to arn:aws:s3:::sensitive-bucket/* \\\n  --action s3:GetObject\n```\n\nDiscovers direct access and role assumption chains (up to 5 hops).\n\n### `report` - Security Analysis\n```bash\n# Find high-risk access patterns\naws-access-map report --high-risk\n```\n\nDetects: admin access, public access, cross-account access, overly permissive roles, sensitive actions.\n\n### `cache` - Manage Cached Data\n```bash\n# View cache info\naws-access-map cache info --account 123456789012\n\n# Clear cache\naws-access-map cache clear\n```\n\n**See [docs/usage/USAGE.md](docs/usage/USAGE.md) for complete command reference.**\n\n## Key Features\n\n### ✅ Complete IAM Policy Evaluation\n\nImplements AWS's 6-step evaluation logic in correct order:\n\n1. **SCPs** - Organization-level denies (v0.5.0)\n2. **Permission boundaries** - Principal-level allowlist (v0.6.0)\n3. **Session policies** - Temporary session constraints (v0.6.0)\n4. **Explicit denies** - Always win\n5. **Explicit allows** - Grant access\n6. **Implicit deny** - Default\n\n### ✅ Multi-Account Support (v0.6.0)\n\n```bash\n# Collect from all accounts in organization\naws-access-map collect --all-accounts\n\n# Use custom cross-account role\naws-access-map collect --all-accounts --role-name CustomAuditRole\n```\n\n**Requirements:**\n- AWS Organizations access from management account\n- Cross-account role in member accounts (default: `OrganizationAccountAccessRole`)\n- See [docs/usage/PERMISSIONS.md](docs/usage/PERMISSIONS.md) for details\n\n### ✅ Condition Evaluation (v0.4.0)\n\nSupports 22 condition operators: `StringEquals`, `IpAddress`, `Bool`, `DateLessThan`, `NumericGreaterThan`, `ArnLike`, etc.\n\n```bash\n# Evaluate IP-restricted policies\naws-access-map who-can \"*\" --action \"*\" --source-ip \"203.0.113.50\"\n\n# Check MFA-protected access\naws-access-map who-can \"arn:aws:iam::*:*\" --action \"iam:*\" --mfa\n```\n\n### ✅ Policy Simulation Mode (v0.7.0)\n\nTest policy changes locally without AWS credentials. Perfect for CI/CD integration.\n\n```bash\n# Test policies from local file\naws-access-map simulate who-can \"arn:aws:s3:::bucket/*\" \\\n  --action s3:GetObject \\\n  --data local-policies.json\n\n# Compare before/after policy changes\naws-access-map simulate diff \\\n  --before current.json \\\n  --after proposed.json \\\n  --action \"*\"\n\n# Validate for security issues (exit 1 if found)\naws-access-map simulate validate --data policies.json\n```\n\n**Use cases:**\n- Test policy changes before deployment\n- CI/CD policy validation\n- Local development without AWS access\n- Security audits of proposed changes\n\n### ✅ Incremental Caching (v0.7.0)\n\n10x faster collection for large accounts with minimal changes.\n\n```bash\n# First run: full collection (30s)\naws-access-map collect --no-cache\n\n# Subsequent runs: delta only (3-5s)\naws-access-map collect --incremental\n```\n\n**How it works:**\n- Tracks resource metadata (policy hashes, LastModified)\n- Detects changed resources only\n- Fetches deltas, not full data\n- Graceful fallback to full collection\n\n**Performance:**\n- **Full**: 30 seconds (1000 resources)\n- **Incremental (no changes)**: 3-5 seconds (10x faster)\n- **Incremental (10% changes)**: 8-10 seconds (3x faster)\n\n### ✅ IAM Groups Support (v0.7.0)\n\nComplete IAM entity coverage with group membership resolution.\n\n```bash\n# Users inherit group permissions\naws-access-map who-can \"arn:aws:s3:::*\" --action s3:GetObject\n# Returns: alice (via group: Developers)\n```\n\n**Features:**\n- Collects groups with inline + managed policies\n- Resolves user group memberships\n- Inherits both allows and denies from groups\n- Deny rules from groups override user allows\n\n### ✅ Performance\n\n- **Fast queries**: 50-100ms for typical accounts\n- **Auto-caching**: 24h TTL (configurable)\n- **Incremental mode**: 10x speedup for large accounts (v0.7.0)\n- **Multi-account**: Parallel collection across accounts\n- **No external dependencies**: Single binary, no database required\n\n## What It Collects\n\n**IAM Entities:**\n- ✅ IAM users, roles (inline + managed policies)\n- ✅ IAM groups with membership resolution (v0.7.0)\n- ✅ Permission boundaries (v0.6.0)\n- ✅ Service Control Policies (v0.5.0)\n- ✅ Role trust policies and assumption chains\n\n**Resource Policies:**\n- ✅ S3, KMS, SQS, SNS, Secrets Manager\n- ✅ Lambda functions (v0.7.0)\n- ✅ API Gateway REST APIs (v0.7.0)\n- ✅ ECR repositories (v0.7.0)\n- ✅ EventBridge event buses (v0.7.0)\n\n**Multi-Account:**\n- ✅ Organization-wide collection (v0.6.0)\n\nSee [docs/usage/PERMISSIONS.md](docs/usage/PERMISSIONS.md) for required IAM permissions.\n\n## How It Works\n\n```\n┌─────────┐    ┌───────┐    ┌───────┐\n│ Collect │ -\u003e │ Graph │ -\u003e │ Query │\n└─────────┘    └───────┘    └───────┘\n  AWS APIs    In-memory   BFS/Policy\n  2-3 sec     \u003c 1 sec      \u003c 100ms\n```\n\n1. **Collect**: Fetches policies via AWS SDK, caches locally\n2. **Graph**: Builds in-memory structure (principals → actions → resources)\n3. **Query**: Traverses graph with BFS, evaluates constraints (SCPs, boundaries, sessions)\n\n## Comparison\n\n| Feature | aws-access-map | AWS IAM Policy Simulator | Commercial Tools |\n|---------|----------------|--------------------------|------------------|\n| **Speed** | 3 second queries | Manual, one-at-a-time | Minutes (scanning) |\n| **Cost** | Free | Free | $$$$ |\n| **Offline** | ✅ Yes (local cache) | ❌ No | ❌ No |\n| **Multi-account** | ✅ Yes (v0.6.0) | ❌ No | ✅ Yes |\n| **Role chains** | ✅ Yes (BFS) | ❌ No | ⚠️ Limited |\n| **SCPs** | ✅ Yes (v0.5.0) | ✅ Yes | ✅ Yes |\n| **Conditions** | ✅ Yes (22 operators) | ✅ Yes | ✅ Yes |\n| **CLI-first** | ✅ Yes | ❌ UI-based | ❌ UI-based |\n\n## Roadmap\n\n- ✅ v0.1.0 - IAM collection \u0026 basic queries\n- ✅ v0.2.0 - Resource policies (S3, KMS, SQS, SNS)\n- ✅ v0.3.0 - Role assumption chains (BFS)\n- ✅ v0.4.0 - Policy condition evaluation\n- ✅ v0.5.0 - Service Control Policies (SCPs)\n- ✅ v0.6.0 - Permission boundaries, session policies, caching, multi-account\n- ✅ v0.7.0 - IAM groups, Lambda/API Gateway/ECR/EventBridge, policy simulation, incremental caching\n- ⏳ v0.8.0 - Resource tagging, NotAction/NotResource evaluation\n- ⏳ v0.9.0 - Web UI (optional)\n\n## Contributing\n\nContributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and architecture.\n\n**Key areas for contribution:**\n- Additional resource types (ECS, EFS, RDS, DynamoDB, etc.)\n- More condition operators (StringLike patterns, etc.)\n- Performance optimizations\n- Web UI / visualization\n- Documentation improvements\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n## Support\n\n- 📖 [Documentation](https://github.com/pfrederiksen/aws-access-map)\n- 🐛 [Issue Tracker](https://github.com/pfrederiksen/aws-access-map/issues)\n- 💬 [Discussions](https://github.com/pfrederiksen/aws-access-map/discussions)\n\n---\n\n**Built with ❤️ for DevOps engineers debugging permissions at 3am.**\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfrederiksen%2Faws-access-map","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpfrederiksen%2Faws-access-map","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfrederiksen%2Faws-access-map/lists"}