deekayen.iam_access_simulation

Panoramica Versioni Approfondimenti

AWS IAM Access Simulation

CI

This tool lets you check which IAM users and roles can access specific resources in your AWS account. It helps you find out who can access your S3 buckets or KMS keys, especially when auditors ask for this information.

The tool will collect all IAM users and roles from your AWS account and then test the actions you provide against the resources you define in the resources_to_test variable. If you want to test only users or only roles, you can skip the one you don't need using the user or role tag to filter tasks.

It uses the AWS CLI simulate principal policy feature to test access.

aws iam simulate-principal-policy \
  --policy-source-arn <user/role arn> \
  --resource-arns <resource arn> \
  --action-names <action>

Role Variables

resources_to_test: []

Example Playbook

---

- hosts: localhost
  connection: local
  gather_facts: no

  vars:
    resources_to_test:
      - action: s3:GetObject
        resource: arn:aws:s3:::deekayen-123456789000-secret-bucket
      - action: kms:Decrypt
        resource: arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab

  roles:
    - deekayen.iam_access_simulation

At the end of the playbook run, the results of the simulation will be shown in the console.

TASK [iam_access_simulation : Print simulation results.] **********************
ok: [localhost] => {
    "msg": [
        "User deekayen allowed to s3:GetObject on arn:aws:s3:::deekayen-123456789000-secret-bucket",
        "Role ec2-instances allowed to s3:GetObject on arn:aws:s3:::deekayen-123456789000-secret-bucket",
        "User deekayen allowed to kms:Decrypt on arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab",
        "Role ec2-instances allowed to kms:Decrypt on arn:aws:kms:us-east-1:123456789000:key/1234abab-1e2c-3a4b-9ba8-1234567890ab"
    ]
}
[

PLAY RECAP *********************************************************************
localhost                  : ok=327  changed=0    unreachable=0    failed=0    skipped=324  rescued=0    ignored=0

Playbook run took 0 days, 0 hours, 3 minutes, 14 seconds

Requirements

You need to have boto and AWS CLI installed on your control machine.

Dependencies

collections:
  - amazon.aws
  - community.general

License

BSD-3-Clause

Informazioni sul progetto

Simulate the access of AWS IAM users and roles performing various actions against any ARN.

role aws iam
Installa
ansible-galaxy install deekayen.iam_access_simulation
GitHub repository
0 stelle
0 fork
0 problemi aperti
Licenza
bsd-3-clause
Download
14.7k
Proprietario
David Norman
My initials spelled as a word - pronounced /dEE-kAY-En/