sellers · November 19, 2015 12:06 · sellers · Nov 19, 2015
diff --git a/find_iam_user.py b/find_iam_user.py
 #!/usr/bin/env python
 '''
 # Find the IAM username belonging to the TARGET_ACCESS_KEY
 # Useful for finding IAM user corresponding to a compromised AWS credential
 # Usage:
 #     find_IAM.user AWS_ACCESS_KEY_ID
 # Requirements:
 #
 # Environmental variables:
 #     AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
 #     or
 #     AWS_PROFILE
 #     or a .boto config file.  add profile_name='xxx' if you have more than one
 # python:
 #   boto
 '''

 import boto.iam
 import sys

 if len(sys.argv) != 2:
    print sys.argv
    print('Usage: \n {0} AWS_ACCESS_KEY_ID\n\n'.format(sys.argv[0]))
    exit(1)

 TARGET_ACCESS_KEY = sys.argv[1]

 IAM = boto.connect_iam()  # add profile_name= here

 MARKER = None
 IS_TRUNCATED = 'true'
 USERS = []

 while IS_TRUNCATED == 'true':
    ALL_USERS = IAM.get_all_users('/', marker=MARKER)
    USERS += ALL_USERS['list_users_response']['list_users_result']['users']
    IS_TRUNCATED = (ALL_USERS['list_users_response']
                    ['list_users_result']['is_truncated'])
    if IS_TRUNCATED == 'true':
        MARKER = (ALL_USERS['list_users_response']
                  ['list_users_result']['marker'])

 print("\n\nFound {0} users, searching...".format(str(len(USERS)))),


 def find_key():
    '''
    identify key amongst users
    '''
    for user in USERS:
        print('.'),
        for key_result in (IAM.get_all_access_keys(user['user_name'])
                           ['list_access_keys_response']
                           ['list_access_keys_result']
                           ['access_key_metadata']):
            aws_access_key = key_result['access_key_id']
            if aws_access_key == TARGET_ACCESS_KEY:
                print('Target key belongs to user:{0}'
                      .format(user['user_name']))
                return True
    return False

 if not find_key():
    print('\n\nDid not find access key ({0} in {1} IAM users.'
          .format(TARGET_ACCESS_KEY, str(len(USERS))))
	#!/usr/bin/env python
	'''
	# Find the IAM username belonging to the TARGET_ACCESS_KEY
	# Useful for finding IAM user corresponding to a compromised AWS credential
	# Usage:
	# find_IAM.user AWS_ACCESS_KEY_ID
	# Requirements:
	#
	# Environmental variables:
	# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
	# or
	# AWS_PROFILE
	# or a .boto config file. add profile_name='xxx' if you have more than one
	# python:
	# boto
	'''

	import boto.iam
	import sys

	if len(sys.argv) != 2:
	print sys.argv
	print('Usage: \n {0} AWS_ACCESS_KEY_ID\n\n'.format(sys.argv[0]))
	exit(1)

	TARGET_ACCESS_KEY = sys.argv[1]

	IAM = boto.connect_iam() # add profile_name= here

	MARKER = None
	IS_TRUNCATED = 'true'
	USERS = []

	while IS_TRUNCATED == 'true':
	ALL_USERS = IAM.get_all_users('/', marker=MARKER)
	USERS += ALL_USERS['list_users_response']['list_users_result']['users']
	IS_TRUNCATED = (ALL_USERS['list_users_response']
	['list_users_result']['is_truncated'])
	if IS_TRUNCATED == 'true':
	MARKER = (ALL_USERS['list_users_response']
	['list_users_result']['marker'])

	print("\n\nFound {0} users, searching...".format(str(len(USERS)))),


	def find_key():
	'''
	identify key amongst users
	'''
	for user in USERS:
	print('.'),
	for key_result in (IAM.get_all_access_keys(user['user_name'])
	['list_access_keys_response']
	['list_access_keys_result']
	['access_key_metadata']):
	aws_access_key = key_result['access_key_id']
	if aws_access_key == TARGET_ACCESS_KEY:
	print('Target key belongs to user:{0}'
	.format(user['user_name']))
	return True
	return False

	if not find_key():
	print('\n\nDid not find access key ({0} in {1} IAM users.'
	.format(TARGET_ACCESS_KEY, str(len(USERS))))