0

In the course of working with AWS I quite frequently run into a situation where I would need to confirm that a certain user or a group indeed has the access they should or should not have (or debug a policy that doesn't work correctly). For this purpose, I have created a "myusername-assumable" role whose permissions I can modify, and then assume it to test the given access. However, the problem is that many users have a complex collection of policies comprised of multiple group memberships in addition to some direct-attached policies. Since a role apparently can't be a member of a group, I currently have had to painstakingly rebuild a user's permissions, policy by policy, to match the desired user's or group's permissions I need to validate. To test an IAM user's permissions I could create a temporary set of keys, of course, but I would like to avoid that as a user can choose to rotate their keys at any point, and the presence of an extra key set would be confusing to them.

So my question is, is there any way (a script, a CLI command set..) to extract all the policies attached to an IAM user directly or via a group, and then reattach those policies to a role? I will eventually script this, but if someone happens to have an existing solution, that would be great!

Ville
  • 4,088
  • 2
  • 37
  • 38
  • 1
    There are multiple APIs that you would need to invoke in order to achieve this. I am going to list the CLI version of these. `list-groups-for-user` will list all groups attached to user. `list-group-policies` will list the policies for each group. `list-user-policies` will get you the inline policies of the user. Using the details obtained from list-group-policies, invoke `put-role-policy` to create inline policy in the role. `list-attached-user-policies` will get you the managed policies attached to the user. Using this, invoke `attach-role-policy` to attach the managed policy to the IAM role – krishna_mee2004 Feb 26 '18 at 19:32
  • 1
    Don't forget the impact of resource policies -- e.g. S3 bucket policies, SNS topic policies... there is no way to fully emulate the effect of these. – Michael - sqlbot Feb 26 '18 at 22:47
  • 1
    That's a good point @Michael-sqlbot .. it would be great if AWS would introduce some kind of an "effective policy introspection tool" that would allow the policy to be analyzed from any user perspective. With that in mind, currently, the only way to positively verify the effective policy for a user seems to be to access the services as that user. In that light, it would be awesome for there to be "assume-IAM-user" permission so that user permissions could be assumed like roles for the administrative purposes. – Ville Feb 27 '18 at 00:19
  • There is of course the [IAM Policy Simulator](https://policysim.aws.amazon.com/), but it's a cumbersome tool to check a user's effective policy. Of course, there can still be factors that are unpredictable, such as policy effect based on the IP or other "environmental" factors. But as an administrator of an environment, those factors are generally known and taken into account. – Ville Feb 27 '18 at 00:26
  • 1
    Of course, there's also an argument to be made that using roles exclusively may be the way to go. We're moving in that direction in my organization -- so that ultimately, all actions against all services are done with role credentials from STS. When a user assumes a role, only the role permissions are relevant for requests made with the role credentials. Easier management, easier testing. – Michael - sqlbot Feb 27 '18 at 00:32

0 Answers0