anthumchris · June 9, 2022 20:55 · anthumchris · Jun 9, 2022
diff --git a/validate-permissions.js b/validate-permissions.js
 /*  This NodeJS script tests IAM Policy Actions for yourself or a specific PolicySourceArn user/role.
 *
 *  https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/configuring-the-jssdk.html
 */

 import AWS from 'aws-sdk' // $ npm i -D aws-sdk@2

 const iam = new AWS.IAM()
 const sts = new AWS.STS()


 validateMyPermissions()
 // validatePermissions('arn:aws:iam::############:user/my-test-user')


 /*
 *  Validate permissions for yourself (calling/executing account).
 *
 *  Requires permissions:
 *
 *    sts:GetCallerIdentity
 */
 async function validateMyPermissions() {
  validatePermissions( (await sts.getCallerIdentity().promise()).Arn )
 }


 /*
 *  Validate permissions for PolicySourceArn in format:
 *
 *    arn:aws:iam::ACCT_ID:role/ROLE_NAME
 *    arn:aws:iam::ACCT_ID:user/USER_NAME
 *
 *  Requires permissions to:
 *
 *    iam:SimulatePrincipalPolicy
 *    PolicySourceArn
 */
 async function validatePermissions(PolicySourceArn) {
  const results = await iam.simulatePrincipalPolicy({
    ActionNames: [
      "cloudwatch:DeleteAlarms",
      "cloudwatch:DeleteAnomalyDetector",
      "cloudwatch:DeleteDashboards",
      "cloudwatch:DeleteInsightRules",
      "cloudwatch:DeleteMetricStream",
      "cloudwatch:DescribeAlarmHistory",
      "cloudwatch:DescribeAlarms",
      // "cloudwatch:DescribeAlarmsForMetric",
      // "cloudwatch:DescribeAnomalyDetectors",
      // "cloudwatch:DescribeInsightRules",
      // "cloudwatch:DisableAlarmActions",
      // "cloudwatch:DisableInsightRules",
      // "cloudwatch:EnableAlarmActions",
      // "cloudwatch:EnableInsightRules",
      // "cloudwatch:GetDashboard",
      // "cloudwatch:GetInsightRuleReport",
      // "cloudwatch:GetMetricData",
      // "cloudwatch:GetMetricStatistics",
      // "cloudwatch:GetMetricStream",
      // "cloudwatch:GetMetricWidgetImage",
      // "cloudwatch:ListDashboards",
      // "cloudwatch:ListMetricStreams",
      // "cloudwatch:ListMetrics",
      // "cloudwatch:ListTagsForResource",
      // "cloudwatch:PutAnomalyDetector",
      // "cloudwatch:PutCompositeAlarm",
      // "cloudwatch:PutDashboard",
      // "cloudwatch:PutInsightRule",
      // "cloudwatch:PutMetricAlarm",
      // "cloudwatch:PutMetricData",
      // "cloudwatch:PutMetricStream",
      // "cloudwatch:SetAlarmState",
      // "cloudwatch:StartMetricStreams",
      // "cloudwatch:StopMetricStreams",
      // "cloudwatch:TagResource",
      // "cloudwatch:UntagResource",
    ],
    PolicySourceArn
  }).promise()

  const EvaluationResults = results.EvaluationResults.map(({ EvalActionName, EvalDecision, MatchedStatements }) => ({
    [EvalDecision === 'allowed' ? '✅' : '❌']: EvalActionName,
    // MatchedStatements: JSON.stringify(MatchedStatements), // policy statement details
  }))

  const formatted = {
    [PolicySourceArn]: EvaluationResults
  }

  console.log(formatted)
 }
	/* This NodeJS script tests IAM Policy Actions for yourself or a specific PolicySourceArn user/role.
	*
	* https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/configuring-the-jssdk.html
	*/

	import AWS from 'aws-sdk' // $ npm i -D aws-sdk@2

	const iam = new AWS.IAM()
	const sts = new AWS.STS()


	validateMyPermissions()
	// validatePermissions('arn:aws:iam::############:user/my-test-user')


	/*
	* Validate permissions for yourself (calling/executing account).
	*
	* Requires permissions:
	*
	* sts:GetCallerIdentity
	*/
	async function validateMyPermissions() {
	validatePermissions( (await sts.getCallerIdentity().promise()).Arn )
	}


	/*
	* Validate permissions for PolicySourceArn in format:
	*
	* arn:aws:iam::ACCT_ID:role/ROLE_NAME
	* arn:aws:iam::ACCT_ID:user/USER_NAME
	*
	* Requires permissions to:
	*
	* iam:SimulatePrincipalPolicy
	* PolicySourceArn
	*/
	async function validatePermissions(PolicySourceArn) {
	const results = await iam.simulatePrincipalPolicy({
	ActionNames: [
	"cloudwatch:DeleteAlarms",
	"cloudwatch:DeleteAnomalyDetector",
	"cloudwatch:DeleteDashboards",
	"cloudwatch:DeleteInsightRules",
	"cloudwatch:DeleteMetricStream",
	"cloudwatch:DescribeAlarmHistory",
	"cloudwatch:DescribeAlarms",
	// "cloudwatch:DescribeAlarmsForMetric",
	// "cloudwatch:DescribeAnomalyDetectors",
	// "cloudwatch:DescribeInsightRules",
	// "cloudwatch:DisableAlarmActions",
	// "cloudwatch:DisableInsightRules",
	// "cloudwatch:EnableAlarmActions",
	// "cloudwatch:EnableInsightRules",
	// "cloudwatch:GetDashboard",
	// "cloudwatch:GetInsightRuleReport",
	// "cloudwatch:GetMetricData",
	// "cloudwatch:GetMetricStatistics",
	// "cloudwatch:GetMetricStream",
	// "cloudwatch:GetMetricWidgetImage",
	// "cloudwatch:ListDashboards",
	// "cloudwatch:ListMetricStreams",
	// "cloudwatch:ListMetrics",
	// "cloudwatch:ListTagsForResource",
	// "cloudwatch:PutAnomalyDetector",
	// "cloudwatch:PutCompositeAlarm",
	// "cloudwatch:PutDashboard",
	// "cloudwatch:PutInsightRule",
	// "cloudwatch:PutMetricAlarm",
	// "cloudwatch:PutMetricData",
	// "cloudwatch:PutMetricStream",
	// "cloudwatch:SetAlarmState",
	// "cloudwatch:StartMetricStreams",
	// "cloudwatch:StopMetricStreams",
	// "cloudwatch:TagResource",
	// "cloudwatch:UntagResource",
	],
	PolicySourceArn
	}).promise()

	const EvaluationResults = results.EvaluationResults.map(({ EvalActionName, EvalDecision, MatchedStatements }) => ({
	[EvalDecision === 'allowed' ? '✅' : '❌']: EvalActionName,
	// MatchedStatements: JSON.stringify(MatchedStatements), // policy statement details
	}))

	const formatted = {
	[PolicySourceArn]: EvaluationResults
	}

	console.log(formatted)
	}