SamLR · May 23, 2019 15:24
diff --git a/aws-action-test.py b/aws-action-test.py
 #
 # Recommended use
 # python3 aws-action-test.py ec2:create-instance > arns.json
 #
 # This is pretty slow but I think it hits most main things in AWS
 #

 import boto3

 from sys import argv

 BILLING_ACTION = "aws-portal:ModifyAccount"

 def get_all(client, func_name, results_key, **kwargs):
  paginator = client.get_paginator(func_name)

  res = []
  for page in paginator.paginate(**kwargs):
    res += page[results_key]

  return res

 def get_all_arns():
  res = []

  client = boto3.client('iam')

  users = get_all(client, 'list_users', 'Users')
  res += [u['Arn'] for u in users]

  groups = get_all(client, 'list_groups', 'Groups')
  res += [g['Arn'] for g in groups]

  roles = get_all(client, 'list_roles', 'Roles')
  res += [r['Arn'] for r in roles]

  return res

 def main(arns, action):
  res = {
    "allowed":[],
    "implicitDeny":[],
    "explicitDeny":[],
  }

  client = boto3.client('iam')

  for test_arn in arns:
    resp = client.simulate_principal_policy(PolicySourceArn=test_arn, ActionNames=[action])

    eval_decision = resp["EvaluationResults"][0]["EvalDecision"]

    if eval_decision not in res:
      msg = "Unknown EvalDecision, {}, for arn: {} & action {}".format(eval_decision, test_arn, action)
      raise Exception(msg)

    res[eval_decision].append(test_arn)

  return res

 if __name__ == '__main__':

  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('arns', metavar='A', nargs='*', help='ARNs to test')
  parser.add_argument("--action", help="Name of AWS action to test", default=BILLING_ACTION)

  args = parser.parse_args()

  if len(args.arns) > 0:
    arns = args.arns
  else:
    arns = get_all_arns()

  res = main(arns, args.action)

  import json
  print(json.dumps(res))
	#
	# Recommended use
	# python3 aws-action-test.py ec2:create-instance > arns.json
	#
	# This is pretty slow but I think it hits most main things in AWS
	#

	import boto3

	from sys import argv

	BILLING_ACTION = "aws-portal:ModifyAccount"

	def get_all(client, func_name, results_key, **kwargs):
	paginator = client.get_paginator(func_name)

	res = []
	for page in paginator.paginate(**kwargs):
	res += page[results_key]

	return res

	def get_all_arns():
	res = []

	client = boto3.client('iam')

	users = get_all(client, 'list_users', 'Users')
	res += [u['Arn'] for u in users]

	groups = get_all(client, 'list_groups', 'Groups')
	res += [g['Arn'] for g in groups]

	roles = get_all(client, 'list_roles', 'Roles')
	res += [r['Arn'] for r in roles]

	return res

	def main(arns, action):
	res = {
	"allowed":[],
	"implicitDeny":[],
	"explicitDeny":[],
	}

	client = boto3.client('iam')

	for test_arn in arns:
	resp = client.simulate_principal_policy(PolicySourceArn=test_arn, ActionNames=[action])

	eval_decision = resp["EvaluationResults"][0]["EvalDecision"]

	if eval_decision not in res:
	msg = "Unknown EvalDecision, {}, for arn: {} & action {}".format(eval_decision, test_arn, action)
	raise Exception(msg)

	res[eval_decision].append(test_arn)

	return res

	if __name__ == '__main__':

	import argparse

	parser = argparse.ArgumentParser()
	parser.add_argument('arns', metavar='A', nargs='*', help='ARNs to test')
	parser.add_argument("--action", help="Name of AWS action to test", default=BILLING_ACTION)

	args = parser.parse_args()

	if len(args.arns) > 0:
	arns = args.arns
	else:
	arns = get_all_arns()

	res = main(arns, args.action)

	import json
	print(json.dumps(res))