'How do I get all users that can perform certain AWS actions (e.g. iam-CreateAccessKey, ec2-AssociateIamInstanceProfile)?
Is this possible? If not, maybe I can do it the other way around like getting the AWS actions per user?
I tried the below command but this doesn't have any action info. :(
for user in $(aws iam list-users | jq -r '.Users[].UserName'); do echo '{ "Username": "'$user'", "Info": ['; aws iam list-user-policies --user-name $user; echo ','; aws iam list-groups-for-user --user-name $user; echo ','; aws iam list-attached-user-policies --user-name $user; echo '] },'; done > users.json
amazon-web-servicesSolution 1:[1]
Unfortunately, it isn't that simple.
The closest option is to Test IAM policies with the IAM policy simulator - AWS Identity and Access Management. You can ask it whether a particular user can perform a given Action with particular parameters.
Otherwise, all you can do is parse the policies yourself and try to figure out what they can do.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | John Rotenstein |