You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 lines
2.5 KiB
Bash
72 lines
2.5 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2020-01-17 16:17:39 +0000 (Fri, 17 Jan 2020)
|
|
#
|
|
# https://github.com/harisekhon/bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/harisekhon
|
|
#
|
|
|
|
# Finds policies granting full access in JSON format
|
|
#
|
|
# Takes a while to run (eg. ~18 mins for ~700 policies)
|
|
#
|
|
# If stderr is to terminal, prints progress counter in the form of num / total
|
|
#
|
|
# Recommend to redirect stdout to a file ( > file.txt ) and just watch progress counter on stderr in terminal
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
|
|
echo "Getting policy list" >&2
|
|
policies="$(
|
|
# get json to allow to filter later
|
|
aws iam list-policies |
|
|
jq -r '.Policies[] | [.Arn, .DefaultVersionId] | @tsv' # | head -n 10 || :
|
|
)"
|
|
|
|
num_policies="$(wc -l <<< "$policies")"
|
|
num_policies="${num_policies//[[:space:]]/}"
|
|
|
|
echo "Iterating over all $num_policies policies to find policies granting full access (this may take a while)" >&2
|
|
#{
|
|
#echo '['
|
|
#i=1
|
|
while read -r arn version; do
|
|
echo "checking $arn version $version" >&2
|
|
policy="$(aws iam get-policy-version --policy-arn "$arn" --version-id "$version")"
|
|
if {
|
|
# select any policies where Action is a string or an array containing * from granting all
|
|
# XXX: if you want to find policies granting full access to a service like S3 just replace '*' with 's3:*'
|
|
jq -r '.PolicyVersion | select(.Document.Statement[].Action == "*")' <<< "$policy" 2>/dev/null || :
|
|
jq -r '.PolicyVersion | select(.Document.Statement[].Action.[] | index("*"))' <<< "$policy" 2>/dev/null || :
|
|
} | grep -q .; then
|
|
echo "WARNING: $arn GRANTS FULL ACCESS:"
|
|
echo "$policy"
|
|
echo
|
|
fi
|
|
# simple but we want progress numbers
|
|
#echo -n '.' >&2
|
|
# only print counter if stderr is to terminal
|
|
#if [ -t 2 ]; then
|
|
# printf '\r%s/%s' "$i" "$num_policies" >&2
|
|
#fi
|
|
#if [ $i -lt "$num_policies" ]; then
|
|
# echo ','
|
|
#fi
|
|
#((i+=1))
|
|
done <<< "$policies"
|
|
#printf '\n' >&2
|
|
#echo ']'
|
|
#} # |
|
|
# doesn't give full document
|
|
#jq -r '.[].PolicyVersion.Document.Statement[] | select(.Action | index("*"))'
|
|
# gives full document, but not name and doesn't work when Action is string instead of array - doing test in loop now to output arn and handle both cases
|
|
#jq -r '.[].PolicyVersion | select(.Document.Statement[].Action | index("*"))'
|