aws-access-analyzer-validator

A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.

0.4.0

PyPI

Maintainers: 1

aws-access-analyzer-validator

A tool to validate existing identity and resource policies across regions and supported AWS services with AWS IAM Access Analyzer.

This tool

discovers resource and identity policies attached to resources of supported AWS services (see below) in all commercial regions
validates these policies with AWS IAM Access Analyzer ValidatePolicy API
generates a report with Access Analyzer findings

See examples/sample_report.md for an example.

Usage

Install from PyPI (Python 3.8+ required):

pip install aws-access-analyzer-validator

Execute the tool:

aws-access-analyzer-validator -o report.md

Open report.md to see analysis results.

Arguments

aws-access-analyzer-validator supports the following arguments:

--regions - A comma separated list of regions to limit policy validation to. For example, --regions eu-west-1,eu-north-1 limits validation to policies in eu-west-1 and eu-north-1 regions. Global resources (IAM, S3) are scanned regardless of region limitations.

Supported Services / Resources

aws-access-analyzer-validator validates policies from the following services:

AWS Identity and Access Management (IAM)
- Inline policies of IAM users
- Inline policies of IAM groups
- Inline policies and trust policy of IAM roles
- Managed IAM Policies (customer managed)
Amazon S3 bucket policies
Amazon SQS queue policies
Amazon SNS topic policies
Amazon Elastic Container Registry (ECR) repository policies

Required Permissions

This tool requires the following permissions to operate:

accessanalyzer:ValidatePolicy
ecr:DescribeRepositories
ecr:GetRepositoryPolicy
iam:GetAccountAuthorizationDetails
s3:GetBucketPolicy
s3:ListAllMyBuckets
sns:GetTopicAttributes
sns:ListTopics
sqs:GetQueueAttributes
sqs:ListQueues

Here's an IAM policy that grants the required privileges:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsForAAValidator",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ValidatePolicy",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "iam:GetAccountAuthorizationDetails",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "sns:GetTopicAttributes",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

Development

Requires Python 3.8+ and Poetry. Useful commands:

# Setup environment
poetry install

# Run integration tests (requires admin-level AWS credentials)
make test

# Run linters
make -k lint

# Format code
make format

# Deploy test resources (requires AWS CLI and admin level AWS credentials)
make deploy-test-resources

# Delete test resources
make delete-test-resources

Credits

Inspired by z0ph/aa-policy-validator.

License

MIT.

FAQs

What is aws-access-analyzer-validator?

Is aws-access-analyzer-validator well maintained?

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install