wes-novack · June 30, 2020 02:00
diff --git a/evaluate_iam_policy_actions_for_wildcard.sh b/evaluate_iam_policy_actions_for_wildcard.sh
 #!/bin/bash
 BEGIN_RED='\e[31m'
 END_RED='\e[0m'
 wildcard_policies=()

 function get_policy_arns () {
        policy_arns=($(aws iam list-policies --query Policies[].Arn --scope Local --output text))
        policy_count=${#policy_arns[@]}
        echo "$policy_count customer managed policies found."
 }

 function check_for_wildcard () {
        actions=$1
        for action in $actions; do
                if [[ $action =~ "*" ]]; then
                        echo -e "${BEGIN_RED}WARNING: Policy $policy_arn contains a '*' in the Action ${action}${END_RED}"
                        wildcard_policies+=($policy_arn)
                fi
        done
 }

 function get_policy_version_and_actions () {
        policy_version=$(aws iam get-policy --policy-arn "$policy_arn" --query Policy.DefaultVersionId --output text)
        queried_actions=$(aws iam get-policy-version --policy-arn "$policy_arn"  --version-id $policy_version \
        --query PolicyVersion.Document.Statement.Action --output text)
        if [ $queried_actions == 'None' ]; then
                policy_actions=$(aws iam get-policy-version --policy-arn "$policy_arn"  --version-id $policy_version \
                --query PolicyVersion.Document.Statement[].Action --output text)
        else
                policy_actions=($queried_actions)
        fi
 }

 function evaluate_policies () {
        for policy_arn in ${policy_arns[@]}; do
                if [ "$policy_arn" != "None" ]; then
                        get_policy_version_and_actions
                        check_for_wildcard $policy_actions
                        echo "Done evaluating $policy_arn"
                fi
        done
        echo "Evaluated $policy_count policies"
 }

 function print_wildcard_policies () {
        for policy in ${wildcard_policies[@]}; do
                echo -e "${BEGIN_RED}Policy contains '*' in an Action:${END_RED} $policy"
        done
 }

 function main () {
        get_policy_arns
        evaluate_policies
        print_wildcard_policies
 }

 main
	#!/bin/bash
	BEGIN_RED='\e[31m'
	END_RED='\e[0m'
	wildcard_policies=()

	function get_policy_arns () {
	policy_arns=($(aws iam list-policies --query Policies[].Arn --scope Local --output text))
	policy_count=${#policy_arns[@]}
	echo "$policy_count customer managed policies found."
	}

	function check_for_wildcard () {
	actions=$1
	for action in $actions; do
	if [[ $action =~ "*" ]]; then
	echo -e "${BEGIN_RED}WARNING: Policy $policy_arn contains a '*' in the Action ${action}${END_RED}"
	wildcard_policies+=($policy_arn)
	fi
	done
	}

	function get_policy_version_and_actions () {
	policy_version=$(aws iam get-policy --policy-arn "$policy_arn" --query Policy.DefaultVersionId --output text)
	queried_actions=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id $policy_version \
	--query PolicyVersion.Document.Statement.Action --output text)
	if [ $queried_actions == 'None' ]; then
	policy_actions=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id $policy_version \
	--query PolicyVersion.Document.Statement[].Action --output text)
	else
	policy_actions=($queried_actions)
	fi
	}

	function evaluate_policies () {
	for policy_arn in ${policy_arns[@]}; do
	if [ "$policy_arn" != "None" ]; then
	get_policy_version_and_actions
	check_for_wildcard $policy_actions
	echo "Done evaluating $policy_arn"
	fi
	done
	echo "Evaluated $policy_count policies"
	}

	function print_wildcard_policies () {
	for policy in ${wildcard_policies[@]}; do
	echo -e "${BEGIN_RED}Policy contains '*' in an Action:${END_RED} $policy"
	done
	}

	function main () {
	get_policy_arns
	evaluate_policies
	print_wildcard_policies
	}

	main