A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.
Project description
aws-access-analyzer-validator
A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.
This tool
- discovers resource and identity policies attached to resources of supported AWS services (see below) in all commercial regions
- validates these policies with AWS IAM Access Analyzer ValidatePolicy API
- generates a report with Access Analyzer findings
See examples/sample_report.md for an example.
Usage
- Install from PyPI:
pip install aws-access-analyzer-validator
- Execute the tool:
aws-access-analyzer-validator -o report.md
- Open
report.mdto see analysis results.
Arguments
aws-access-analyzer-validator supports the following arguments:
--regions- A comma separated list of regions to limit policy validation to. For example,--regions eu-west-1,eu-north-1limits validation to policies ineu-west-1andeu-north-1regions. Global resources (IAM, S3) are scanned regardless of region limitations.
Supported Services / Resources
aws-access-analyzer-validator validates policies from the following
services:
- AWS Identity and Access Management (IAM)
- Inline policies of IAM users
- Inline policies of IAM groups
- Inline policies and trust policy of IAM roles
- Managed IAM Policies (customer managed)
- Amazon S3 bucket policies
- Amazon SQS queue policies
- Amazon SNS topic policies
Required Permissions
This tool requires the following permissions to operate:
accessanalyzer:ValidatePolicyiam:GetAccountAuthorizationDetailss3:GetBucketPolicys3:ListAllMyBucketssns:GetTopicAttributessns:ListTopicssqs:GetQueueAttributessqs:ListQueues
Here's an IAM policy that grants the required privileges:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionsForAAValidator",
"Effect": "Allow",
"Action": [
"access-analyzer:ValidatePolicy",
"iam:GetAccountAuthorizationDetails",
"s3:GetBucketPolicy",
"s3:ListAllMyBuckets",
"sns:GetTopicAttributes",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Resource": "*"
}
]
}
Development
Requires Python 3 and Poetry. Useful commands:
# Run integration tests (requires admin-level AWS credentials)
poetry run tox -e test
# Run linters
poetry run tox -e lint
# Format code
poetry run tox -e format
# Deploy test resources (requires AWS CLI and admin level AWS credentials)
make deploy-test-resources
Credits
- Inspired by z0ph/aa-policy-validator.
License
MIT.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for aws-access-analyzer-validator-0.2.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2594532f3ec19f079a5e084dc46096ee9b0c83440bd95efcf1cc333a81c81738 |
|
| MD5 | 19629ff2d86eed159dc4bf6004e619ca |
|
| BLAKE2b-256 | 4e290db8bed7a68e6779863c0f98319fce64a38debfe3be8bbb9c0f96fa58788 |
Close
Hashes for aws_access_analyzer_validator-0.2.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 68ec78d215440678911992017e7418fba23780a8a662ddfc412d6b0741dde960 |
|
| MD5 | e33e6400880c743337a65062ddd6b54e |
|
| BLAKE2b-256 | 7601c0c2a4180b61f3a456d685c254e4002896bea720dcc54b39c50c2876c804 |
