Generally, I prefer the CLI option since I don't have to worry "what does the recipient need to do with the results". Just dumping a text file, I needn't worry about being yelled at that the contents of a screen-shot can't be used to easily create another, similar policy. It's also easy to simply redirect the output to a file and attach it to whatever media I'm responding to ...or, if mail is enabled within the CLI environment, simply pipe the output directly to a CLI-based email tool and save a step in the process (laziness for the win!).
But, how to go from "there's an instance in this account: what privileges does it have" to "here's what it can do?" Basically, it's a four-step process:
- Get the name of the Instance Role attached to the EC2 instance. This can be done with a method similar to:
$ aws ec2 describe-instances --instance-id <INSTANCE_ID> \ --query 'Reservations[].Instances[].IamInstanceProfile[].Arn[]' --out text | \ sed 's/^.*arn:.*profile\///' $ aws iam get-instance-profile --instance-profile-name <OUPUT_FROM_PREVIOUS> \ --query 'InstanceProfile.Roles[].RoleName' --out text
- Get list of policies attached to role. This can be done with a method similar to:
aws iam list-attached-role-policies --role-name <OUPUT_FROM_PREVIOUS> \ --query 'AttachedPolicies[].PolicyArn[]' --out text
- Find current version of attached policy/policies. Thi can be done with a method similar to:
aws iam get-policy --policy-arn <OUPUT_FROM_PREVIOUS> \ --query 'Policy.DefaultVersionId' --out text
- Get contents of attached policy/policies active version. This can be done – using the outputs from steps #2 and #3 – with a method similar to:
aws iam get-policy-version --policy-arn <OUPUT_FROM_STEP_2> \ --version-id <OUPUT_FROM_STEP_3>
- If the inline policy was the only policy attached to the role, the output will show all of the permissions the instance role grants any EC2s it is attached to.
- If the inline policy was the not the only inline policy attached to the role, it will be necessary to iterate over the remaining policies attached to the role to get the aggregated permission-set.
#!/bin/bash # # Script to dump out all permissions granted through an IAM role with multiple # managed IAM policies attached. ########################################################################### if [[ $# -eq 0 ]] then echo "Usage: ${0} <instance-id>" >&2 exit 1 fi PROFILE_NAME="$( aws ec2 describe-instances --instance-id "${1}" \ --query 'Reservations[].Instances[].IamInstanceProfile[].Arn[]' \ --out text | sed 's/^.*arn:.*profile\///' )" ROLE_NAME="$( aws iam get-instance-profile \ --instance-profile-name "${PROFILE_NAME}" \ --query 'InstanceProfile.Roles[].RoleName' \ --out text | sed 's/^.*arn:.*profile\///' )" ATTACHED_POLICIES=($( aws iam list-attached-role-policies \ --role-name "${ROLE_NAME}" --query 'AttachedPolicies[].PolicyArn[]' | \ jq .[] | sed 's/"//g' )) for ITER in $( seq 0 $(( ${#ATTACHED_POLICIES[@]} - 1 )) ) do POLICY_VERSION=$( aws iam get-policy --policy-arn \ ${ATTACHED_POLICIES[${ITER}]} --query \ 'Policy.DefaultVersionId' --out text ) aws iam get-policy-version --policy-arn ${ATTACHED_POLICIES[${ITER}]} \ --version-id "${POLICY_VERSION}" done
No comments:
Post a Comment