0

On AWS, I want to review all permissions grant or revoked to our services and redefine them when necessary.

Considering a specific role set on AWS IAM.

How can I filter which services, instances or lambda functions assumed this role?

I tried to filter, for example, Lambda functions under this role, but didn't found how I can do this.

Andre Pastore
  • 163
  • 1
  • 12
  • Could you please clarify what you are seeking? Are you wanting to know entity _can_ assume a role, or which entity historically _did_ assume a role? – John Rotenstein May 27 '19 at 04:05

1 Answers1

0

There is the CloudTrail service to

log, continuously monitor, and retain account activity related to actions across your AWS infrastructure

That should give you an overview which entities assumed which role.

There are also some potentially useful cli commands:

The list-entities-for-policy operation

Lists all IAM users, groups, and roles that the specified managed policy is attached to.

The get-service-last-accessed-details-with-entities operation returns a

list of entities that could have used group or policy permissions to access the specified service

But CloudTrail is the standard governance service.

Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39