Skip to main content

Checks code for needed AWS IAM Privileges

Project description

iamscan

Language License Version Code style: black

iamscan is a command line tool that reads your code and generates an AWS IAM policy with your needed permissions. Keeping track of AWS IAM permissions is annoying and timeconsuming. How often have you seen an update deployed to the cloud followed by The provided execution role does not have permissions to call CreateSomething on SomeService? This problem is either solved by manually reading through code or worse by blanketly opening up permissions to speed up the process (lambda:*, s3:*, etc.). IAM policies should always grant least privilege and iamscan can help you accomplish this.

Installation

iamscan is easiest install via pip for Python versions 3.8+

$ pip install iamscan

Supported File Types

  • Currently iamscan can parse JavaScript Files, Python Files and Shell Scripts, thus the filename extension must be one of .js, .py or .sh
  • For JavaScript files iamscan will recongize AWS SDK for JavaScript v2 commands but will not recognize AWS SDK for JavaScript v3 commands
  • For Python files iamscan recognizes boto3 Low Level Client commands but will not recognize Resource based commands
  • For Shell Scripts all aws-cli commands are recognized

Basic Usage

Call iamscan from the command line and pass in your file or a directory containing multiple files using the --path keyword

$ iamscan --path iamscan -p tests/py/awsec2instances.py
{
  "Version": "2012-10-17",      
  "Statement": [
    {
      "Effect": "Allow",        
      "Action": [
        "ec2:DescribeInstances",
        "ec2:RebootInstances",  
        "ec2:RunInstances",     
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    }
  ]
}

Passing in a directory will parse all files in the directory and add their permissions to the policy

$ iamscan --path iamscan -p tests/py/
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:RebootInstances",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "s3api:CreateBucket",
        "s3api:DeleteBucket",
        "s3api:DeleteObject",
        "s3api:ListBuckets",
        "s3api:ListObjectsV2"
      ],
      "Resource": "*"
    }
  ]
}

Use the --output-format to change the output to YAML for use with AWS CloudFormation

$ iamscan --path iamscan -p tests/py/awsec2instances.py --output-format yaml
Statement:
- Effect: Allow
  Action:
  - ec2:DescribeInstances
  - ec2:RebootInstances
  - ec2:RunInstances
  - ec2:StartInstances
  - ec2:StopInstances
  - ec2:TerminateInstances
  Resource: '*'

Command Line Reference

Command Description
-p, --path The path to a file or directory [REQUIRED]
-v, --version Displays the current version
-h, --help Displays the help message
-o, --output-format The format of the output IAM policy (json | yaml) defaults to json
-i, --id An Id to add to the IAM policy
-r, --resource One or multiple ARNs to add to the IAM Policy
-s, --seperate-statements Usable when passing a directory as a path, seperates permissions into seperate Statements based on file

Contributing

The iamscan repo makes use of a Makefile with pytest for local development. First create a virtual environment using the requirements.txt file then after any changes are made run make test to ensure all the tests pass. If you're change warrants tests add them to the test_code.py file. After all tests pass please make a Pull Request into the main branch

License

iamscan is released under the MIT License. See the bundled LICENSE file for details.

Credits

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

iamscan-0.0.1.tar.gz (59.4 kB view details)

Uploaded Source

Built Distribution

iamscan-0.0.1-py3-none-any.whl (58.0 kB view details)

Uploaded Python 3

File details

Details for the file iamscan-0.0.1.tar.gz.

File metadata

  • Download URL: iamscan-0.0.1.tar.gz
  • Upload date:
  • Size: 59.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.25.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.61.1 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.3 CPython/3.9.5

File hashes

Hashes for iamscan-0.0.1.tar.gz
Algorithm Hash digest
SHA256 8438d6738eed0c845548db1d5fb975b94f8709276726a8d4410e4bcb67ee0141
MD5 9d1698860c8c18a60c1b677363e0cb38
BLAKE2b-256 638ee074c7927f1c9a78a039c8f68de218d42e8910efe15cf6d3ac5d8ec64e41

See more details on using hashes here.

File details

Details for the file iamscan-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: iamscan-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 58.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.25.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.61.1 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.3 CPython/3.9.5

File hashes

Hashes for iamscan-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9a5e204861157676ecd45a220b1bd3a76230f861658fc58308c4abf26361c1d8
MD5 b30af9b2ce3b638f85ab949436259369
BLAKE2b-256 eda4febe3cefe6b23629fa0e7f92235f313735a19cdca6aec4e933ed93cae81b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page