Get IAM roles,policies and users-AWS CLI

Posted: March 9, 2018 in Amazon Web Services (AWS), Scripts

In this post we’ll get IAM reports using AWS CLI.

 #get IAM Users——————————————————

yes | cp -rf /media/IAM_REPORT/IAM_REPORT_users.csv /media/IAM_REPORT/IAM_REPORT_users_old.csv

aws iam list-users>/media/IAM_REPORT/users.json

jq -r ‘.Users[] | [.UserName] | @csv’ /media/IAM_REPORT/users.json > /media/IAM_REPORT/users.csv

{ echo “Users”; cat /media/IAM_REPORT/users.csv; } > /media/IAM_REPORT/IAM_REPORT_users.csv

comm -13 <(sort /media/IAM_REPORT/IAM_REPORT_users.csv) /media/IAM_REPORT/IAM_REPORT_users_changes.txt

#get IAM Groups———————————————————————-

yes | cp -rf /media/IAM_REPORT/IAM_REPORT_groups.csv /media/IAM_REPORT/IAM_REPORT_groups_old.csv

aws iam list-groups>/media/IAM_REPORT/groups.json

jq -r ‘.Groups[] | [.GroupName] | @csv’ /media/IAM_REPORT/groups.json > /media/IAM_REPORT/groups.csv

{ echo “Groups”; cat /media/IAM_REPORT/groups.csv; } > /media/IAM_REPORT/IAM_REPORT_groups.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_groups.csv) /media/IAM_REPORT/IAM_REPORT_groups_changes.txt

#Get users with associated policies——————————————-

echo yes | cp /media/IAM_REPORT/IAM_REPORT_users_policies.csv /media/IAM_REPORT/IAM_REPORT_users_policies_old.csv

aws iam get-account-authorization-details > /media/IAM_REPORT/output.json

jq -r ‘.UserDetailList[] | .UserName as $u | .AttachedManagedPolicies[] | [$u, .PolicyName] | @csv’ /media/IAM_REPORT/output.json > /media/IAM_REPORT/userpolicies.csv

{ echo “Users,Policy”; cat /media/IAM_REPORT/userpolicies.csv; } > /media/IAM_REPORT/IAM_REPORT_users_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_users_policies.csv) /media/IAM_REPORT/IAM_REPORT_users_policies_changes.txt

#Get Groups with associated policies —————

echo yes | cp /media/IAM_REPORT/IAM_REPORT_group_policies.csv /media/IAM_REPORT/IAM_REPORT_group_policies_old.csv

jq -r ‘.GroupDetailList[] | .GroupName as $u | .AttachedManagedPolicies[] | [$u, .PolicyName] | @csv’ /media/IAM_REPORT/output.json > /media/IAM_REPORT/grouppolicies.csv

{ echo “Groups,Policies”; cat /media/IAM_REPORT/grouppolicies.csv; } > /media/IAM_REPORT/IAM_REPORT_group_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_group_policies.csv) /media/IAM_REPORT/IAM_REPORT_group_policies_changes.txt

#Roles assigned to policies———————————————

echo yes | cp /media/IAM_REPORT/IAM_REPORT_role_policies.csv /media/IAM_REPORT/IAM_REPORT_role_policies_old.csv

jq -r ‘.RoleDetailList | map(select(.AttachedManagedPolicies | length > 0))[] | .RoleName as $r | .AttachedManagedPolicies[] | [$r, .PolicyName] | @csv’ /media/IAM_REPORT/output.json>/media/IAM_REPORT/rolepolicy.csv

{ echo “Role,Policy”; cat /media/IAM_REPORT/rolepolicy.csv; } > /media/IAM_REPORT/IAM_REPORT_role_policies.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_role_policies.csv) /media/IAM_REPORT/IAM_REPORT_role_policies_changes.txt

#Get IAM roles for group/user——————————————————-

echo yes | cp /media/IAM_REPORT/IAM_REPORT_role_assignment.csv /media/IAM_REPORT/IAM_REPORT_role_assignment_old.csv

jq -rc ‘.RoleDetailList | map(select((.AssumeRolePolicyDocument.Statement | length > 0) and (.AssumeRolePolicyDocument.Statement[].Principal.Service) or (.AssumeRolePolicyDocument.Statement[].Principal.AWS) or (.AssumeRolePolicyDocument.Statement[].Principal.Federated) or (.AttachedManagedPolicies | length >0) or (.RolePolicyList | length > 0)) )[] | [.RoleName,([.RolePolicyList[].PolicyName,([.AttachedManagedPolicies[].PolicyName] | join(“–“))] | join(” “)),(.AssumeRolePolicyDocument.Statement[] | .Principal.Federated + “” + (.Principal.Service | if type == “array” then join(“–“) else . end) + “”+.Principal.AWS)] | @csv’ /media/IAM_REPORT/output.json>/media/IAM_REPORT/roleassign.csv

#awk ‘BEGIN{ FS=OFS=”,” }$2 ~ /^”arn:aws:iam:/{ $2 = “,”$2 }1’ /media/IAM_REPORT/roles.csv>/media/IAM_REPORT/roleassign.csv

{ echo “Role,Policy,User/Group/Service”; cat /media/IAM_REPORT/roleassign.csv; } > /media/IAM_REPORT/IAM_REPORT_role_assignment.csv

comm -23 <(sort /media/IAM_REPORT/IAM_REPORT_role_assignment.csv) /media/IAM_REPORT/IAM_REPORT_role_assignemnt_changes.txt

#zip files———————————————————-

find /media/IAM_REPORT/*.txt -maxdepth 1 -size +0 -print | zip /tmp/IAM_REPORT.zip -@ /media/IAM_REPORT/IAM_REPORT_role_policies.csv /media/IAM_REPORT/IAM_REPORT_group_policies.csv /media/IAM_REPORT/IAM_REPORT_groups.csv /media/IAM_REPORT/IAM_REPORT_users.csv /media/IAM_REPORT/IAM_REPORT_users_policies.csv /media/IAM_REPORT/IAM_REPORT_role_assignment.csv

#send email

echo “IAM Reports-IAM_REPORT” | mail -r rundeck@company.com -s “AWS IAM reports ” -a /tmp/IAM_REPORT.zip “user@company.com”

########This section creates HTML mail and sends report as message body

#prepare HTML

#PYTHON_ARG=”$1″ python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/group_policy.html','wt')

#df = pd.read_csv('/media//IAM_REPORT/IAM_REPORT_group_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/groups.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_groups.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/roles_assign.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_role_assignment.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/roles.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_role_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END
#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/user_policy.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_users_policies.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()

#print(df.to_html(index=False))

#END

#PYTHON_ARG="$1" python – <<END
#!/usr/bin/python

#import pandas as pd
#import sys
#import json
#sys.stdout = open('/media/IAM_REPORT/users.html','wt')

#df = pd.read_csv('/media/IAM_REPORT/IAM_REPORT_users.csv')
#pd.set_option('display.max_colwidth', -1)
#pd.DataFrame({'a': [1, 2]}).to_html()
#print(df.to_html(index=False))
#END

#Add labels to html files————————————————

#echo -e "
\n\t
IAM Groups

\n\t
\n$(cat #/media/IAM_REPORT/groups.html)” > /media/IAM_REPORT/groups.html

#echo -e ”
\n\t
IAM Group Policies

\n\t
\n$(cat /media/IAM_REPORT/group_policy.html)” > /media/IAM_REPORT/group_policy.html

#echo -e ”
\n\t
IAM Roles Assignment

\n\t
\n$(cat /media/IAM_REPORT/roles_assign.html)” > /media/IAM_REPORT/roles_assign.html

#echo -e ”
\n\t
IAM Roles

\n\t
\n$(cat /media/IAM_REPORT/roles.html)” > /media/IAM_REPORT/roles.html

#echo -e ”
\n\t
IAM User Policies

\n\t
\n$(cat /media/IAM_REPORT/user_policy.html)” > /media/IAM_REPORT/user_policy.html

#echo -e ”
\n\t
IAM Users

\n\t
\n$(cat /media/IAM_REPORT/users.html)” > /media/IAM_REPORT/users.html

#Find changes if files (if any)—————————————————-

#find /media/IAM_REPORT/*.txt -maxdepth 1 -size +0 -print -exec cat {} \; > /media/IAM_REPORT/changes.txt

#if [ -s /media/IAM_REPORT/changes.txt ]
#then
#sed -i ‘s%^\/media/IAM_REPORT/%%;s/\.txt$//’ /media/IAM_REPORT/changes.txt>/media/IAM_REPORT/changes.txt
#PYTHON_ARG=”$1″ python – <<END
#!/usr/bin/python

#contents = open("/media/IAM_REPORT/changes.txt","r")
#with open("/media/IAM_REPORT/changes.html", "w") as e:
#for lines in contents.readlines():
#e.write("

" + lines + "

\n”)
#END

#echo -e ”
\n\t
Changes

\n\t
\n$(cat /media/IAM_REPORT/changes.html)” > /media/IAM_REPORT/changes.html

#cat /media/IAM_REPORT/mailheader /media/IAM_REPORT/changes.html /media/IAM_REPORT/users.html /media/IAM_REPORT/user_policy.html /media/IAM_REPORT/groups.html /media/IAM_REPORT/group_policy.html /media/IAM_REPORT/roles.html /media/IAM_REPORT/roles_assign.html | sendmail -t

#else
#cat /media/IAM_REPORT/mailheader /media/IAM_REPORT/no_changes.html /media/IAM_REPORT/users.html /media/IAM_REPORT/user_policy.html /media/IAM_REPORT/groups.html /media/IAM_REPORT/group_policy.html /media/IAM_REPORT/roles.html /media/IAM_REPORT/roles_assign.html | sendmail -t
fi

mailheader file content:

To: user@company.com
From: someuser@example.com
Subject: AWS IAM Reports
Content-Type: text/html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s