Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evilpete/aws_access_adviser
This script generates CSV formatted reports simular to AWS' IAM Access Adviser in AWS Console Web UI
https://github.com/evilpete/aws_access_adviser
Last synced: about 2 months ago
JSON representation
This script generates CSV formatted reports simular to AWS' IAM Access Adviser in AWS Console Web UI
- Host: GitHub
- URL: https://github.com/evilpete/aws_access_adviser
- Owner: evilpete
- Created: 2019-06-08T05:05:17.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-10-24T19:06:20.000Z (almost 5 years ago)
- Last Synced: 2024-06-28T08:32:25.604Z (3 months ago)
- Language: Python
- Homepage:
- Size: 7.81 KB
- Stars: 6
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Check IAM Role/User/Group Permissions
This script performs a simular function as AWS Web Console's
[Access Advisor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)
but instead generates CSV formatted report containing the identifying Name, Creation Date, Last Used Date, and Unused Permissions
These reports are useful for establish a more secure environment utilizing
[least privilege principle](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
( For a much more powerful tool check out [policy_sentry](https://github.com/salesforce/policy_sentry) )
---
### Requirements
Requires the [boto3](https://github.com/boto/boto3 "AWS SDK for Python") library installed
```sh
$ pip install boto3
```
The following [AWS IAM permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access_policies_access-advisor-permissions-iam) are needed
```
iam:GenerateServiceLastAccessedDetails
iam:GetServiceLastAccessedDetails
iam:GetServiceLastAccessedDetailsWithEntities
iam:ListPoliciesGrantingServiceAccess
```
---
### Usage
> usage: check_iam_permissions.py [-h] [--user] [--role] [--group]
the options `--user` `--role` `--group` can be used to generate the respective reports individually.
Without arguments, all three reports will be generated with the file names
`role_permissions.csv`
`user_permissions.csv`
`group_permissions.csv`.
The script also takes the standard AWS authentication options `--profile`, `--region`, `--key` & `--secret`
---
### Output Example
|Role_Name|Created|Last_Used|Unused_Permissions|
| :--- | :--- | :--- | :--- |
Ec2_backoffice|20190501 20:35:30|20190501 20:42:00|cloudwatch dynamodb kinesis s3
task-role-web|20171102 18:17:06|20190608 02:48:00|cloudwatch firehose sns
ec2-role-batch|20170927 20:54:40|20171010 21:00:00|dynamodb sqs
lambda-role|20170804 20:49:15|Never|cloudwatch elasticache elasticloadbalancing logs rds
ec2-role-jenkins-slave|20170915 20:25:23|20190608 02:48:00|dynamodb ec2
---