Realtime monitor for IAM activity for IaC projects
Project description
IAM Action Watcher
Monitors IAM activities (Actions) for a given user or role in realtime. Outputs a list of actions to help construct a policy document.
"A CLI helper tool which runs alongside your IaC project to determine exactly what permissions your policy will require"
> poetry run iam_watching
No user specified
Using sts identity: arn:aws:sts::[account_id]:assumed-role/[role_name]/[session_tag]
Watching every 5s for last 50
operations currently being performed by testuser
Events can take up to 2 minutes to show up
Displaying unique actions only
Hit Ctrl+C to stop watching security events
2025-08-18 15:28:07-07:00 | ec2:DescribeInstances
2025-08-18 15:21:10-07:00 | rds:DescribeDBClusters
2025-08-18 15:21:04-07:00 | iam:GetUser
^C
The following actions were recently
performed by testuser:
"Action": [
"ec2:DescribeInstances",
"rds:DescribeDBClusters",
"iam:GetUser"
]
Why?
With AWS IAM it can be hard to know exactly what permissions are required to run your code. IaC tooling makes many different API calls invoking actions requiring specific permissions.
E.g: Running a few different high-level functions on a simple program/module will do different things:
- refresh makes 'list/describe/get' calls
- up/apply makes 'create' calls
- down/destroy makes 'destroy/delete/deregister/de-provision' calls
I've found there is no good way to know exactly what these calls will be until all the functions have been tested and this usually means a lot of back & forth debugging to raise or lower access permissions to a reasonable level. Best-practice for IaC is a policy carrying the exact/minimum security.
This simple CLI tool monitors CloudTrail for all security actions performed by a user/principal during a time window, this removes the guesswork and toil of testing every function to failure.
By default the program will detect if you are authenticated as a traditional iam/user or a modern sts/session. But you can still over-ride which events you want to see with the --user flag.
Developing
Running it locally
poetry install
poetry run iam_watching
Install from PyPi
pipx install iam_watching
iam_watching --help
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iam_watching-1.6.0.tar.gz.
File metadata
- Download URL: iam_watching-1.6.0.tar.gz
- Upload date:
- Size: 3.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.13.5 Darwin/23.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
375c4b414ffc87737d5ada3f8bd08368b121aee7711f2850cdce9ff5d7be60a2
|
|
| MD5 |
8714bcb5fd0c33630a8f37a725664a60
|
|
| BLAKE2b-256 |
d3e961b5d6a57e5b49f89aa862fc0e8f57f75a68c9c61782f6fa5d1a38c08238
|
File details
Details for the file iam_watching-1.6.0-py3-none-any.whl.
File metadata
- Download URL: iam_watching-1.6.0-py3-none-any.whl
- Upload date:
- Size: 5.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.13.5 Darwin/23.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1333565bb7eb193a7b539929f7bcd9e20cc44e5e796516fc1ab8ab31f70d4867
|
|
| MD5 |
3b5ff009d5523e7b8a797bdca1d67b12
|
|
| BLAKE2b-256 |
e01afce7be25bd4d4fc049f968c3a5d6d9d46a312c7630281e6f78e85c37fd07
|
