search

hoangquochung1110 / public-notes

0 stars 0 forks source link

How to debug permissions of a certain IAM user against a particular service in AWS #1

Open hoangquochung1110 opened 3 months ago

hoangquochung1110 commented 3 months ago

Set username

USER_NAME="hungadmin"

Retrieve ARN of the IAM user

ARN=$(aws iam get-user --user-name $USER_NAME | jq -r '.User.Arn')
echo $ARN
hoangquochung1110 commented 3 months ago
  1. Using aws iam simulate-principal-policy 
    
ACTION_NAMES="geo-places:*"
aws iam simulate-principal-policy \
--policy-source-arn ${ARN} \
--action-names ${ACTION_NAMES} \
--policy-input-list '[]'
hoangquochung1110 commented 3 months ago

2.List all policies attached to the user

aws iam list-attached-user-policies --user-name username
hoangquochung1110 commented 3 months ago
  1. Investigate group inline policies

Retrieve group which $USER_NAME assigned to

GROUP=$(aws iam list-groups-for-user --user-name $USER_NAME | jq -r '.Groups[].GroupName')
echo $GROUP

View inline policies

POLICY=$(aws iam list-group-policies --group-name $GROUP | jq '.PolicyNames[]')
aws iam get-group-policy --group-name $GROUP --policy-name $POLICY

View managed policies

aws iam list-attached-group-policies --group-name $GROUP | jq -r '.AttachedPolicies[].PolicyArn'
aws iam get-policy --policy-arn $POLICY_ARN