Skip to main content

IAM AWS Permissions Evaluator

Project description

iam-ape

IAM APE

IAM AWS Policy Evaluator

APE takes all of your AWS IAM policies attached to a User, Group, or Role object, and presents you with a single policy, summarizing all of their actual permissions. Taking into account permissions, denials, inherited permissions and permission boundaries!

Setup

Requires Python >= 3.9

From PyPI

  1. Run pip install iam-ape
  2. Run iam-ape

From source

  1. Clone this repository
  2. Change directory to iam_ape
  3. Run python -m pip install .
  4. Run iam-ape

Usage

Prerequisite

Have aws-cli installed on your machine and a profile with aws:GetAccountAuthorizationDetails permissions.
Alternatively, have the json output from aws iam get-account-authorization-details saved to a file.

Before your first run, it's recommended to run iam-ape --update - this updates APE's database with the most current list of all available AWS IAM actions.

The simplest way to use iam-ape is to simply run iam-ape --arn <your-arn-here>
APE will then attempt to fetch the account authorization details, evaluate your permissions, and output a neatly formatted policy to stdout

The --input flag:

If you don't want to fetch the report every time, you can run aws iam get-account-authorization-details by yourself and save the output to a json file. You can then pass that output to APE using the --input flag.

Additional flags:

-o, --output write the output to file instead of stdout
-f, --format (clean|verbose) output the policy in clean, AWS policy-like JSON format, or a long verbose JSON containing all specific actions allowed to the entity, the denied actions, and the ineffective (allowed in one place, denied in another) permissions.
-p, --profile the AWS CLI profile to use when fetching Account Authorization Details
-u, --update update APE's database with the most current list of all available AWS IAM actions
-v, --verbose set logging level to DEBUG

Important note: the policy created by this tool might not always be compliant with AWS's constraints. For example, if a user is granted ec2:AttachVolume access to arn:aws:ec2:* by one policy, but denied access to arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc, the resulting policy statement will look like this:

{
    "Action": "ec2:AttachVolume",
    "Resource": "arn:aws:ec2:*",
    "NotResource": "arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc"
}

This statement, having both Resource and NotResource together, is not supported by AWS but makes more sense when trying to understand what the effective permissions of a user are.

Roadmap

  • Add an option to supply a resource policy and evaluate whether the entity has access to that resource
  • Support additional permissions inherited by Role assumption
  • Support SCP Policies

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

iam_ape-1.1.0.tar.gz (291.3 kB view details)

Uploaded Source

Built Distribution

iam_ape-1.1.0-py3-none-any.whl (290.7 kB view details)

Uploaded Python 3

File details

Details for the file iam_ape-1.1.0.tar.gz.

File metadata

  • Download URL: iam_ape-1.1.0.tar.gz
  • Upload date:
  • Size: 291.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.4.2 CPython/3.11.3 Darwin/22.4.0

File hashes

Hashes for iam_ape-1.1.0.tar.gz
Algorithm Hash digest
SHA256 a7b785ce65e76aa67b7f7be3273196cebcdfd335d91c7a5ca1e6b5719579fad7
MD5 e4b3491afe70a15a93df26934f7ba930
BLAKE2b-256 e177dfd69fb7d1694a9cb52bf7d12a1458ea352d8530a4e41a85efbc8651e422

See more details on using hashes here.

File details

Details for the file iam_ape-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: iam_ape-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 290.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.4.2 CPython/3.11.3 Darwin/22.4.0

File hashes

Hashes for iam_ape-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 84e753a21421bee18c2b28cc4e45223779152594daf273cf3cc0074e6ca5d3e8
MD5 7b05f9d24d1197adbf2f6697fb8564aa
BLAKE2b-256 f560454a82dbcd44f5a9a7dbd21939cf60f43940e9389e31fafcfe7d9138e73f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page