Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/deekayen/ansible-role-iam_access_simulation

Simulate the access of IAM users and roles performing various IAM actions against any ARN. Get a list of which users and roles have access.
https://github.com/deekayen/ansible-role-iam_access_simulation

ansible-role aws-cli iam-actions simulation

Last synced: about 1 month ago
JSON representation

Simulate the access of IAM users and roles performing various IAM actions against any ARN. Get a list of which users and roles have access.

Host: GitHub
URL: https://github.com/deekayen/ansible-role-iam_access_simulation
Owner: deekayen
License: bsd-3-clause
Created: 2020-10-20T18:24:57.000Z (about 4 years ago)
Default Branch: main
Last Pushed: 2024-01-29T15:48:37.000Z (11 months ago)
Last Synced: 2024-05-02T01:14:05.415Z (8 months ago)
Topics: ansible-role, aws-cli, iam-actions, simulation
Homepage: https://galaxy.ansible.com/ui/standalone/roles/deekayen/iam_access_simulation/
Size: 56.6 KB
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

AWS IAM Access Simulation
=========================

[![CI](https://github.com/deekayen/ansible-role-iam_access_simulation/actions/workflows/ci.yml/badge.svg)](https://github.com/deekayen/ansible-role-iam_access_simulation/actions/workflows/ci.yml)

Simulate the access of IAM users and roles performing various IAM actions against any ARN. This tells you which users and roles have access to your S3 buckets or KMS keys when the auditors ask.

This will gather all the users and roles in your AWS account, then test the provided actions against ARNs that you will define in the `resources_to_test` variable. If you'd like to test only users OR roles, then you can omit the one you don't need using the `user` or `role` tag assigned to the tasks for filtering.

Test access of IAM users and roles using the [AWS CLI simulate principal policy](https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-principal-policy.html) feature.

```shell
aws iam simulate-principal-policy \
--policy-source-arn \
--resource-arns \
--action-names
```

Role Variables
--------------

```yaml
resources_to_test: []
```

Example Playbook
----------------

```yaml
---

- hosts: localhost
connection: local
gather_facts: no

vars:
resources_to_test:
- action: s3:GetObject
resource: arn:aws:s3:::deekayen-123456789000-secret-bucket
- action: kms:Decrypt
resource: arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab

roles:
- deekayen.iam_access_simulation
```

The results of the simulation are printed to the console at the end of the playbook run.

```shell
TASK [iam_access_simulation : Print similation results.] **********************
ok: [localhost] => {
"msg": [
"User deekayen allowed to s3:GetObject on arn:aws:s3:::deekayen-123456789000-secret-bucket",
"Role ec2-instances allowed to s3:GetObject on arn:aws:s3:::deekayen-123456789000-secret-bucket",
"User deekayen allowed to kms:Decrypt on arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab",
"Role ec2-instances allowed to kms:Decrypt on arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab"
]
}
[

PLAY RECAP *********************************************************************
localhost : ok=327 changed=0 unreachable=0 failed=0 skipped=324 rescued=0 ignored=0

Playbook run took 0 days, 0 hours, 3 minutes, 14 seconds
```

Requirements
------------

The control machine needs boto and AWS CLI.

Dependencies
------------

```yaml
collections:
- amazon.aws
- community.general
```

License
-------

BSD-3-Clause