Friday, February 7, 2025

Search by action all AWS IAM Policies in your account

Find all policies that contain a specific action(grep by string)

AWS Iam manage access to AWS cloud trough different entities that narrow down to policies that have actions.

One such situation be the following, you want to find all policies that contain the action ec2:CreateVolume under your AWS account.

To find all policies that contain ec2:CreateVolume using the Web Ui can be time consuming and error prone when you need to search multiple policies, especially if you have inline and managed (AWS or customer).

So cli to the rescue !

Examples

To search trough use aws iam and get-account-authorization-details.

All policies

To note this output will not include inline policies.

In the case of ec2:CreateVolume this should do

aws iam \
    get-account-authorization-details \
    --query 'Policies[?contains(PolicyVersionList[].Document[].Statement[].Action[], `ec2:CreateVolume`)].{Arn:Arn, Path:Path}'

If any policy contains the action ec2:CreateVolume will show something like


[
    {
        "Arn": "arn:aws:iam::000000000000:policy/path/subPath/NameOfPolicy",
        "Path": "/path/subPath/"
    },
    {
        "Arn": "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
        "Path": "/"
    },
    {
        "Arn": "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
        "Path": "/service-role/"
    }
]

So the first entry is a customer managed policy, the account id is zeroed in this example but will show the actual account id, the path and subPath are namespaces as where the policy was written.

The second and third don’t have an account id and the name starts with Amazon, these are managed by AWS.

All groups with inline policies

aws iam \
    get-account-authorization-details \
    --query 'GroupDetailList[?GroupPolicyList[].PolicyDocument[].Statement[].Action!=null && contains(GroupPolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{GroupArn:Arn, PolicyName:GroupPolicyList[].PolicyName}'

All users with inline policies

aws iam \
    get-account-authorization-details \
    --query 'UserDetailList[?UserPolicyList[].PolicyDocument[].Statement[].Action!=null && contains(UserPolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{UserArn:Arn, PolicyName:UserPolicyList[].PolicyName}[]'

All roles with inline policies

aws iam \
    get-account-authorization-details \
    --query 'RoleDetailList[?RolePolicyList[].PolicyDocument[].Statement[].Action!=null && contains(RolePolicyList[].PolicyDocument[].Statement[].Action[], `ec2:CreateVolume`)].{RoleArn:Arn, PolicyName:RolePolicyList[].PolicyName}'
Posted by at 5:35 PM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)