GARAGENUM
/
DevOps-Bash-tools
mirror of https://github.com/HariSekhon/DevOps-Bash-tools
13
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
gh-pages
ccmenu
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3ab7c63817'
${ noResults }
DevOps-Bash-tools/aws_policies_granting_full_...

72 lines
2.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# vim:ts=4:sts=4:sw=4:et
#
# Author: Hari Sekhon
# Date: 2020-01-17 16:17:39 +0000 (Fri, 17 Jan 2020)
#
# https://github.com/harisekhon/bash-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/harisekhon
#
# Dumps policies granting full access in JSON format
#
# Takes a while to run (eg. ~18 mins for ~700 policies)
#
# If stderr is to terminal, prints progress counter in the form of num / total
#
# Recommend to redirect stdout to a file ( > file.txt ) and just watch progress counter on stderr in terminal
set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
echo "Getting policy list" >&2
policies="$(
# get json to allow to filter later
aws iam list-policies |
jq -r '.Policies[] | [.Arn, .DefaultVersionId] | @tsv' # | head -n 10 || :
)"
num_policies="$(wc -l <<< "$policies")"
num_policies="${num_policies//[[:space:]]/}"
echo "Iterating over all $num_policies policies to find policies granting full access (this may take a while)" >&2
#{
#echo '['
#i=1
while read -r arn version; do
echo "checking $arn version $version" >&2
policy="$(aws iam get-policy-version --policy-arn "$arn" --version-id "$version")"
if {
# select any policies where Action is a string or an array containing * from granting all
# XXX: if you want to find policies granting full access to a service like S3 just replace '*' with 's3:*'
jq -r '.PolicyVersion | select(.Document.Statement[].Action == "*")' <<< "$policy" 2>/dev/null || :
jq -r '.PolicyVersion | select(.Document.Statement[].Action.[] | index("*"))' <<< "$policy" 2>/dev/null || :
} | grep -q .; then
echo "WARNING: $arn GRANTS FULL ACCESS:"
echo "$policy"
echo
fi
# simple but we want progress numbers
#echo -n '.' >&2
# only print counter if stderr is to terminal
#if [ -t 2 ]; then
# printf '\r%s/%s' "$i" "$num_policies" >&2
#fi
#if [ $i -lt "$num_policies" ]; then
# echo ','
#fi
#((i+=1))
done <<< "$policies"
#printf '\n' >&2
#echo ']'
#} # |
# doesn't give full document
#jq -r '.[].PolicyVersion.Document.Statement[] | select(.Action | index("*"))'
# gives full document, but not name and doesn't work when Action is string instead of array - doing test in loop now to output arn and handle both cases
#jq -r '.[].PolicyVersion | select(.Document.Statement[].Action | index("*"))'
Reference in New Issue View Git Blame Copy Permalink