Last active
June 30, 2020 02:00
-
-
Save wes-novack/a39761e92c94473f0590e25f070a243b to your computer and use it in GitHub Desktop.
Evaluate your customer managed AWS IAM policies for wildcard actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
BEGIN_RED='\e[31m' | |
END_RED='\e[0m' | |
wildcard_policies=() | |
function get_policy_arns () { | |
policy_arns=($(aws iam list-policies --query Policies[].Arn --scope Local --output text)) | |
policy_count=${#policy_arns[@]} | |
echo "$policy_count customer managed policies found." | |
} | |
function check_for_wildcard () { | |
actions=$1 | |
for action in $actions; do | |
if [[ $action =~ "*" ]]; then | |
echo -e "${BEGIN_RED}WARNING: Policy $policy_arn contains a '*' in the Action ${action}${END_RED}" | |
wildcard_policies+=($policy_arn) | |
fi | |
done | |
} | |
function get_policy_version_and_actions () { | |
policy_version=$(aws iam get-policy --policy-arn "$policy_arn" --query Policy.DefaultVersionId --output text) | |
queried_actions=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id $policy_version \ | |
--query PolicyVersion.Document.Statement.Action --output text) | |
if [ $queried_actions == 'None' ]; then | |
policy_actions=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id $policy_version \ | |
--query PolicyVersion.Document.Statement[].Action --output text) | |
else | |
policy_actions=($queried_actions) | |
fi | |
} | |
function evaluate_policies () { | |
for policy_arn in ${policy_arns[@]}; do | |
if [ "$policy_arn" != "None" ]; then | |
get_policy_version_and_actions | |
check_for_wildcard $policy_actions | |
echo "Done evaluating $policy_arn" | |
fi | |
done | |
echo "Evaluated $policy_count policies" | |
} | |
function print_wildcard_policies () { | |
for policy in ${wildcard_policies[@]}; do | |
echo -e "${BEGIN_RED}Policy contains '*' in an Action:${END_RED} $policy" | |
done | |
} | |
function main () { | |
get_policy_arns | |
evaluate_policies | |
print_wildcard_policies | |
} | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment