IAM AWS Permissions Evaluator
Project description
IAM APE
IAM AWS Policy Evaluator
APE takes all of your AWS IAM policies attached to a User, Group, or Role object, and presents you with a single policy, summarizing all of their actual permissions. Taking into account permissions, denials, inherited permissions and permission boundaries!
Setup
Requires Python >= 3.9
From PyPI
- Run
pip install iam-ape - Run
iam-ape
From source
- Clone this repository
- Change directory to iam_ape
- Run
python -m pip install . - Run
iam-ape
Usage
Prerequisite
Have aws-cli installed on your machine and a profile with
aws:GetAccountAuthorizationDetailspermissions.
Alternatively, have the json output fromaws iam get-account-authorization-detailssaved to a file.
Before your first run, it's recommended to run
iam-ape --update- this updates APE's database with the most current list of all available AWS IAM actions.
The simplest way to use iam-ape is to simply run iam-ape --arn <your-arn-here>
APE will then attempt to fetch the account authorization details, evaluate your permissions, and output a neatly formatted policy to stdout
The --input flag:
If you don't want to fetch the report every time, you can run aws iam get-account-authorization-details by yourself and save the output to a json file. You can then pass that output to APE using the --input flag.
Additional flags:
-o, --output write the output to file instead of stdout
-f, --format (clean|verbose) output the policy in clean, AWS policy-like JSON format, or a long verbose JSON containing all specific actions allowed to the entity, the denied actions, and the ineffective (allowed in one place, denied in another) permissions.
-p, --profile the AWS CLI profile to use when fetching Account Authorization Details
-u, --update update APE's database with the most current list of all available AWS IAM actions
-v, --verbose set logging level to DEBUG
Important note: the policy created by this tool might not always be compliant with AWS's constraints. For example, if a user is granted ec2:AttachVolume access to arn:aws:ec2:* by one policy, but denied access to arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc, the resulting policy statement will look like this:
{
"Action": "ec2:AttachVolume",
"Resource": "arn:aws:ec2:*",
"NotResource": "arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc"
}
This statement, having both Resource and NotResource together, is not supported by AWS but makes more sense when trying to understand what the effective permissions of a user are.
Roadmap
- Add an option to supply a resource policy and evaluate whether the entity has access to that resource
- Support additional permissions inherited by Role assumption
- Support SCP Policies
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file iam_ape-1.1.3.tar.gz.
File metadata
- Download URL: iam_ape-1.1.3.tar.gz
- Upload date:
- Size: 294.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.4.2 CPython/3.11.3 Darwin/22.5.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1fc861362249a62252a44bf74edfdc35f8037ee755ae8bf7f60ef3a39649b551 |
|
| MD5 | ca1dc9d5c21973cf79fd67ce362f9188 |
|
| BLAKE2b-256 | 75698258f977ce7028acd66376d2b76186c84885fa07dbf1cc1dfeb9ee9b4e80 |
File details
Details for the file iam_ape-1.1.3-py3-none-any.whl.
File metadata
- Download URL: iam_ape-1.1.3-py3-none-any.whl
- Upload date:
- Size: 293.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.4.2 CPython/3.11.3 Darwin/22.5.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5b07c3b4cc67e7ff7226682355d56ab1062bb825cc12275394219be846324275 |
|
| MD5 | a941ca88d196b969bf0190247b8ffd51 |
|
| BLAKE2b-256 | 48e9f47344d6709031ae4327c238f6eb6cb1e5588c7168913857a307ce9354fa |
