A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.
Project description
aws-access-analyzer-validator
A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.
This tool
- discovers resource and identity policies attached to resources of supported AWS services (see below) in all commercial regions
- validates these policies with AWS IAM Access Analyzer ValidatePolicy API
- generates a report with Access Analyzer findings
See examples/sample_report.md for an example.
Usage
- Install from PyPI (Python 3.8+ required):
pip install aws-access-analyzer-validator
- Execute the tool:
aws-access-analyzer-validator -o report.md
- Open
report.mdto see analysis results.
Arguments
aws-access-analyzer-validator supports the following arguments:
--regions- A comma separated list of regions to limit policy validation to. For example,--regions eu-west-1,eu-north-1limits validation to policies ineu-west-1andeu-north-1regions. Global resources (IAM, S3) are scanned regardless of region limitations.
Supported Services / Resources
aws-access-analyzer-validator validates policies from the following
services:
- AWS Identity and Access Management (IAM)
- Inline policies of IAM users
- Inline policies of IAM groups
- Inline policies and trust policy of IAM roles
- Managed IAM Policies (customer managed)
- Amazon S3 bucket policies
- Amazon SQS queue policies
- Amazon SNS topic policies
- Amazon Elastic Container Registry (ECR) repository policies
Required Permissions
This tool requires the following permissions to operate:
accessanalyzer:ValidatePolicyecr:DescribeRepositoriesecr:GetRepositoryPolicyiam:GetAccountAuthorizationDetailss3:GetBucketPolicys3:ListAllMyBucketssns:GetTopicAttributessns:ListTopicssqs:GetQueueAttributessqs:ListQueues
Here's an IAM policy that grants the required privileges:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionsForAAValidator",
"Effect": "Allow",
"Action": [
"access-analyzer:ValidatePolicy",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"iam:GetAccountAuthorizationDetails",
"s3:GetBucketPolicy",
"s3:ListAllMyBuckets",
"sns:GetTopicAttributes",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Resource": "*"
}
]
}
Development
Requires Python 3.8+ and Poetry. Useful commands:
# Setup environment
poetry install
# Run integration tests (requires admin-level AWS credentials)
make test
# Run linters
make -k lint
# Format code
make format
# Deploy test resources (requires AWS CLI and admin level AWS credentials)
make deploy-test-resources
# Delete test resources
make delete-test-resources
Credits
- Inspired by z0ph/aa-policy-validator.
License
MIT.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for aws_access_analyzer_validator-0.4.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7f1fba9177cc367799411520e4c6164a21920029b8c08084de39b438bb68b531 |
|
| MD5 | befdef8d3adc10d3ffc97822bb6324b2 |
|
| BLAKE2b-256 | 42f283c5aba9f9781dde9f689672bf49a1727732ef46dcc9bfa4a0aface8eee8 |
Close
Hashes for aws_access_analyzer_validator-0.4.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ce3f890bf6260bfab03d5ce9857ca3f531ab4905d006a274fcf894315b10724c |
|
| MD5 | c75ceb4b4a14096179e961499ebecc6e |
|
| BLAKE2b-256 | 2d3a9882bb7f51ccf598cfa44243641dadd01c6280c33cf1fef175d72c15c9dc |
