A quick-and-dirty browser script for extracting action list tables from AWS Identity and Access Management pages to JSON documents.
Once in JSON, these IAM action lists can be easily queried using tools such as jq to answer questions such as:
- List all
WriteIAM actions for service X. - List all
ReadIAM actions for service X resource type Y.
Open an Identity and Access Management page for a service via a browser, say AWS Backup.
With the page loaded, open the web developer tools console (e.g. macOS ⌥ ⌘ I) and execute JavaScript extract.js:
Copy resulting JSON, and save to file:
JSON shape will be the following format:
$ cat backup-actions.json | jq
[
{
"action": "AssociateBackupVaultMpaApprovalTeam",
"description": "Grants permission to associate an MPA approval team with a backup vault",
"accessLevel": "Write",
"resourceType": "backupVault"
},
{
"action": "CancelLegalHold",
"description": "Grants permission to cancel a legal hold",
"accessLevel": "Write",
"resourceType": "legalHold"
},
{
"action": "CopyFromBackupVault [permission only]",
"description": "Grants permission to copy from a backup vault",
"accessLevel": "Write",
"resourceType": "recoveryPoint"
},
{
"action": "CopyIntoBackupVault [permission only]",
"description": "Grants permission to copy into a backup vault",
"accessLevel": "Write",
"resourceType": "backupVault"
},
{
"action": "CreateBackupPlan",
"description": "Grants permission to create a new backup plan",
"accessLevel": "Write",
"resourceType": "backupPlan"
},
...
]List all access levels:
$ cat backup-actions.json | jq --raw-output 'map(.accessLevel) | unique[]'
List
Permissions management
Read
Tagging
WriteList all resource types:
$ cat backup-actions.json | jq --raw-output 'map(select(.resourceType != "") | .resourceType) | unique[]'
backupPlan
backupVault
framework
legalHold
recoveryPoint
reportPlan
restoreTestingPlanGenerate IAM action strings for given access levels and resource types:
$ cat backup-actions.json |
jq --raw-output '.[] | select(.accessLevel | IN("Permissions management","Write")) | select(.resourceType | IN("","backupPlan","backupVault")) | "backup:\(.action)"'
backup:AssociateBackupVaultMpaApprovalTeam
backup:CopyIntoBackupVault [permission only]
backup:CreateBackupPlan
backup:CreateBackupSelection
backup:CreateBackupVault
backup:CreateLogicallyAirGappedBackupVault
backup:CreateRestoreAccessBackupVault
backup:DeleteBackupPlan
backup:DeleteBackupSelection
backup:DeleteBackupVault
backup:DeleteBackupVaultAccessPolicy
backup:DeleteBackupVaultLockConfiguration
backup:DeleteBackupVaultNotifications
backup:DeleteBackupVaultSharingPolicy [permission only]
backup:DisassociateBackupVaultMpaApprovalTeam
backup:ListIndexedRecoveryPointsForSearch [permission only]
backup:PutBackupVaultAccessPolicy
backup:PutBackupVaultLockConfiguration
backup:PutBackupVaultNotifications
backup:PutBackupVaultSharingPolicy [permission only]
backup:PutRestoreValidationResult
backup:RevokeRestoreAccessBackupVault
backup:StartBackupJob
backup:StopBackupJob
backup:UpdateBackupPlan
backup:UpdateGlobalSettings
backup:UpdateRegionSettings
Alternatively.
https://docs.aws.amazon.com/service-authorization/latest/reference/service-reference.html
https://servicereference.us-east-1.amazonaws.com/
https://servicereference.us-east-1.amazonaws.com/v1/backup/backup.json