I run this command: aws iam list-users, and I get a list of users but not permissions (meaning if someone is root, or s3fullaccess and so for) are listed.
I run this other command: aws iam list-user-policies --user-name xxxxx, and I get this result below empty:
{
"PolicyNames": []
}
Which command or what combination of commands I need to display all users plus their respective permissions?, thanks.
That command only lists the user's inline policies, you would also need to get the list of managed policies attached to the IAM user. Then you would also need to get the list of groups a user belongs to, and list the inline policies and managed policies attached to each of the groups.
So from the CLI you would need to do the following:
aws iam list-user-policies
aws iam list-attached-user-policies
aws iam list-groups-for-user
# For each group:
aws iam list-group-policies
aws iam list-attached-group-policies
I highly recommend doing something like this in Python and Boto3, instead of using the AWS CLI tool.
Inspired by this post, I wrote this to capture a user's permissions, prior to purging them, in case they need to be restored later:
function _getUserIamPermissions() {
export AWS_PAGER="";
local _user="${1}";
local outputManagedPolicies="";
local outputUserPolicies="";
local outputManagedGroupPolicies="";
local outputGroupPolicies="";
# Managed Policies Attached to the IAM User
local _managedpolicies=$(aws iam list-attached-user-policies --user-name "${_user}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedpolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}";);
printf "%s" "${outputManagedPolicies}";
done;
# Inline Policies on the IAM User
local _userpolicies=$(aws iam list-user-policies --user-name "${_user}" | jq -r '.PolicyNames[]';);
for policy in ${_userpolicies}; do
outputUserPolicies=$(aws iam get-user-policy --user-name "${_user}" --policy-name "${policy}";);
printf "%s" "${outputUserPolicies}";
done;
# Get all of the IAM User's assigned IAM Groups
local _groups=$(aws iam list-groups-for-user --user-name "${_user}" | jq -r '.Groups[].GroupName';);
for group in ${_groups}; do
# Managed Policies Attached to the IAM Group
local _managedgrouppolicies=$(aws iam list-attached-group-policies --group-name "${group}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedgrouppolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedGroupPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}" | jq --arg arn "${policy}" '{"PolicyArn": $arn, "Policy": .}';);
printf "%s" "${outputManagedGroupPolicies}";
done;
# Inline Policies on the IAM Group
local _grouppolicies=$(aws iam list-group-policies --group-name "${group}" | jq -r '.PolicyNames[]';);
for policy in ${_grouppolicies}; do
outputGroupPolicies=$(aws iam get-group-policy --group-name "${group}" --policy-name "${policy}";);
printf "%s" "${outputGroupPolicies}";
done;
done;
}
function getUserIamPermissions() {
local username="${1}";
_getUserIamPermissions "${username}" | jq -s;
}
Updated based on information found here: # https://www.badllama.com/content/using-aws-cli-check-user-permissions
Usage:
The fastest way to use it and the way I used it, was through AWS CloudShell. I opened the CloudShell terminal, pasted that in and then I'd run:
getUserIamPermissions <username>
The output is a JSON array containing all of a user's:
Managed Policies attached to the IAM User
Inline Policies on the IAM User
Managed Policies attached to the user's IAM Groups
Inline Policies on the user's IAM Groups
First, you get list of Policies (as mentioned in anser by #Mark-b)
Next you get versions of each policy:
aws iam list-policy-versions --policy-arn
For specific version, you query PolicyDocument
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --version-id vX
You will get JSON formated PolicyDocument with IAM policy statements
You can use AWS API GetAccountAuthorizationDetails to get a snapshot of the configuration of IAM permissions
Kindly run below one liner bash script regarding to list all users with their policies, groups,attached polices.
aws iam list-users |grep -i username > list_users ; cat list_users |awk '{print $NF}' |tr '\"' ' ' |tr '\,' ' '|while read user; do echo "\n\n--------------Getting information for user $user-----------\n\n" ; aws iam list-user-policies --user-name $user --output yaml; aws iam list-groups-for-user --user-name $user --output yaml;aws iam list-attached-user-policies --user-name $user --output yaml ;done ;echo;echo
Related
This query has an issue with an error
aws iam list-access-keys --user-name "User1_aws" --query AccessKeyMetadata.Status[?Value == 'Inactive'] --output text
The below query gives me both inactive and active keys as I have 2 keys one active and one inactive but it returns both keys for the same user even I put the filter for inactive key only. Can anyone help me with this
aws iam list-access-keys --user-name "user_aws" --query 'AccessKeyMetadata[].AccessKeyId' && AccessKeyMetadata.Status[?Value == 'Inactive'] --output text
This will help you.
aws iam list-access-keys --user-name "aws-user" --query 'AccessKeyMetadata[?Status == `Inactive`].AccessKeyId'
I have an account in AWS that I want to block access to the console from some users (more than 50 users).
It's can be achieve using aws-cli by running this aws iam delete-login-profile --user-name <name> but I don't want to do it manually one by one, there is a way to do it in bulk (using CSV file etc.)
Thanks!
So I managed to do it that way:
Exporting all users to .csv:
if aws iam list-users --output text --query 'Users[*].[UserName]' > users.csv
then
echo "Users list exported successfully"
else
echo "Export failed"
fi
And then:
#!/bin/bash
for n in $(cat users.csv )
do
aws iam delete-login-profile --user-name "${n}"
echo "Deleting login profile for ${n}"
done < users.csv
I would like to list tags for all of my roles within IAM.
aws iam list-role-tags --role-name role123 will only list tags for single role.
aws iam list-roles will list all the roles.
How do I concatenate these two cli commands to list all the tags in all roles?
You can do this with the following shell script:
# Get all role names as text
roles=$(aws iam list-roles \
--query 'Roles[*].RoleName' \
--output text)
# Loop through role names and get tags
for role in $roles
do
aws iam list-role-tags --role-name $role
done
If the respective role's tag lists were too long and got truncated you would have to do some extra work. But I think this is a good starting point.
Or if you just want to grab Tags and single-line command then try this
for rolename in $(aws iam list-roles --query 'Roles[*].RoleName' --output text);do aws iam list-role-tags --role-name $rolename --query "Tags";done
Output
[
{
"Key": "Name",
"Value": "test"
}
]
I have multiple aws accounts and i don't remember in which aws account this EC2 instance was created, is there any optimal way to figure out in very less time?
Note: i need to know account DNS name or Alias name.(Not account number)
If you have access to the instance you could use Instance metadata API:
[ec2-user ~]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
It returns json with accountId field.
If you configure AWS CLI for all account, then you can get the Account ID, ARN and user ID.
The script does the following.
Get the list of AWS configuration profile
Loop over all profile
Get a list of All Ec2 public IP address
print account info if IP matched and exit
RUN
./script.sh 52.x.x.x
script.sh
#!/bin/bash
INSTANCE_IP="${1}"
if [ -z "${INSTANCE_IP}" ]; then
echo "pls provide instance IP"
echo "./scipt.sh 54.x.x.x"
exit 1
fi
PROFILE_LIST=$(grep -o "\\[[^]]*]" < ~/.aws/credentials | tr -d "[]")
for PROFILE in $PROFILE_LIST; do
ALL_IPS=$(aws ec2 describe-instances --profile "${PROFILE}" --query "Reservations[].Instances[][PublicIpAddress]" --output text | tr '\r\n' ' ')
echo "looking against profile ${PROFILE}"
for IP in $ALL_IPS; do
if [ "${INSTANCE_IP}" == "${IP}" ]; then
echo "Instance IP matched in below account"
aws sts get-caller-identity
exit 0
fi
done
done
echo "seems like instance not belong to these profile"
echo "${PROFILE_LIST}"
exit 1
loop over accounts
loop over regions
also be aware of lightsail!
I came up with the following and helped me. I didn't exclude the regions that did not have lightsail
for region in `aws ec2 describe-regions --output text --query 'Regions[*].[RegionName]' --region eu-west-1` ; do \
echo $region; \
aws ec2 describe-network-interfaces --output text --filters Name=addresses.private-ip-address,Values="IPv4 address" --region $region ; \
aws lightsail get-instances --region eu-west-1 --output text --query 'instances[*].[name,publicIpAddress]' --region $region; \
done
I am asked to list all users accesses in my company's aws account. Is there any way that I can list out the resources and respective permissions a user has? I feel it is difficult to get the details by looking into both IAM polices as well as Resource based policies. And it is much difficult if the user has cross account access.
There is no single command that you can list all the permission. if you are interested to use some tool then you can try a tool for quickly evaluating IAM permissions in AWS.
You can try this script as well, As listing permission with single command is not possible you can check with a combination of multiple commands.
#!/bin/bash
username=ahsan
echo "**********************"
echo "user info"
aws iam get-user --user-name $username
echo "***********************"
echo ""
# if [ $1=="test" ]; then
# all_users=$(aws iam list-users --output text | cut -f 6)
# echo "users in account are $all_users"
# fi
echo "get user groups"
echo "***********************************************"
Groups=$(aws iam list-groups-for-user --user-name ahsan --output text | awk '{print $5}')
echo "user $username belong to $Groups"
echo "***********************************************"
echo "listing policies in group"
for Group in $Groups
do
echo ""
echo "***********************************************"
echo "list attached policies with group $Group"
aws iam list-attached-group-policies --group-name $Group --output table
echo "***********************************************"
echo ""
done
echo "list attached policies"
aws iam list-attached-user-policies --user-name $username --output table
echo "-------- Inline Policies --------"
for Group in $Groups
do
aws iam list-group-policies --group-name $Group --output table
done
aws iam list-user-policies --user-name $username --output table
Kindly run below one liner bash script regarding to list all users with their policies, groups,attached polices.
aws iam list-users |grep -i username > list_users ; cat list_users |awk '{print $NF}' |tr '\"' ' ' |tr '\,' ' '|while read user; do echo "\n\n--------------Getting information for user $user-----------\n\n" ; aws iam list-user-policies --user-name $user --output yaml; aws iam list-groups-for-user --user-name $user --output yaml;aws iam list-attached-user-policies --user-name $user --output yaml ;done ;echo;echo