far*_*332 4 amazon-web-services aws-cli
我运行这个命令:aws iam list-users,我得到一个用户列表,但没有列出权限(意味着如果有人是 root,或者 s3fullaccess 等等)。
我运行另一个命令:aws iam list-user-policies --user-name xxxxx,我得到以下结果为空:
{
"PolicyNames": []
}
我需要哪个命令或什么命令组合来显示所有用户及其各自的权限?,谢谢。
Dan*_*one 10
受这篇文章的启发,我写了这篇文章来捕获用户的权限,然后再清除它们,以防以后需要恢复:
function _getUserIamPermissions() {
export AWS_PAGER="";
local _user="${1}";
local outputManagedPolicies="";
local outputUserPolicies="";
local outputManagedGroupPolicies="";
local outputGroupPolicies="";
# Managed Policies Attached to the IAM User
local _managedpolicies=$(aws iam list-attached-user-policies --user-name "${_user}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedpolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}";);
printf "%s" "${outputManagedPolicies}";
done;
# Inline Policies on the IAM User
local _userpolicies=$(aws iam list-user-policies --user-name "${_user}" | jq -r '.PolicyNames[]';);
for policy in ${_userpolicies}; do
outputUserPolicies=$(aws iam get-user-policy --user-name "${_user}" --policy-name "${policy}";);
printf "%s" "${outputUserPolicies}";
done;
# Get all of the IAM User's assigned IAM Groups
local _groups=$(aws iam list-groups-for-user --user-name "${_user}" | jq -r '.Groups[].GroupName';);
for group in ${_groups}; do
# Managed Policies Attached to the IAM Group
local _managedgrouppolicies=$(aws iam list-attached-group-policies --group-name "${group}" | jq -r '.AttachedPolicies[].PolicyArn';);
for policy in ${_managedgrouppolicies}; do
local versionId=$(aws iam get-policy --policy-arn "${policy}" | jq -r '.Policy.DefaultVersionId';);
outputManagedGroupPolicies=$(aws iam get-policy-version --policy-arn "${policy}" --version-id "${versionId}" | jq --arg arn "${policy}" '{"PolicyArn": $arn, "Policy": .}';);
printf "%s" "${outputManagedGroupPolicies}";
done;
# Inline Policies on the IAM Group
local _grouppolicies=$(aws iam list-group-policies --group-name "${group}" | jq -r '.PolicyNames[]';);
for policy in ${_grouppolicies}; do
outputGroupPolicies=$(aws iam get-group-policy --group-name "${group}" --policy-name "${policy}";);
printf "%s" "${outputGroupPolicies}";
done;
done;
}
function getUserIamPermissions() {
local username="${1}";
_getUserIamPermissions "${username}" | jq -s;
}
根据此处找到的信息进行更新:# https://www.badllama.com/content/using-aws-cli-check-user-permissions
用法:使用它的最快方法以及我使用它的方式是通过 AWS CloudShell。我打开 CloudShell 终端,将其粘贴进去,然后运行:
getUserIamPermissions <username>
输出是一个 JSON 数组,其中包含所有用户的:
该命令仅列出用户的内联策略,您还需要获取附加到 IAM 用户的托管策略列表。然后,您还需要获取用户所属组的列表,并列出附加到每个组的内联策略和托管策略。
因此,您需要从 CLI 执行以下操作:
aws iam list-user-policies
aws iam list-attached-user-policies
aws iam list-groups-for-user
# For each group:
aws iam list-group-policies
aws iam list-attached-group-policies
我强烈建议在 Python 和 Boto3 中做这样的事情,而不是使用 AWS CLI 工具。
| 归档时间: |
|
| 查看次数: |
2595 次 |
| 最近记录: |