'Is there any way to list out all permissions and on which resources an IAM user have access?

I am asked to list all users accesses in my company's aws account. Is there any way that I can list out the resources and respective permissions a user has? I feel it is difficult to get the details by looking into both IAM polices as well as Resource based policies. And it is much difficult if the user has cross account access.

amazon-iam


Solution 1:[1]

There is no single command that you can list all the permission. if you are interested to use some tool then you can try a tool for quickly evaluating IAM permissions in AWS.

You can try this script as well, As listing permission with single command is not possible you can check with a combination of multiple commands.

#!/bin/bash
username=ahsan

echo "**********************"
echo "user info"
aws iam get-user --user-name $username
echo "***********************"
echo ""

# if [ $1=="test" ]; then
# all_users=$(aws iam list-users --output text | cut -f 6)
# echo "users in account are $all_users"
# fi

echo "get user groups"
echo "***********************************************"
Groups=$(aws iam list-groups-for-user --user-name ahsan --output text | awk '{print $5}')
echo "user $username belong to $Groups"
echo "***********************************************"

echo "listing policies in group"
for Group in $Groups
do  
    echo ""
    echo "***********************************************"
    echo "list attached policies with group $Group"
    aws iam list-attached-group-policies --group-name $Group --output table
    echo "***********************************************"
    echo ""

done

echo "list attached policies"
aws iam list-attached-user-policies --user-name $username --output table

echo "-------- Inline Policies --------"
for Group in $Groups
do
    aws iam list-group-policies --group-name $Group --output table
done
aws iam list-user-policies --user-name $username --output table

Solution 2:[2]

Kindly run below one liner bash script regarding to list all users with their policies, groups,attached polices.

aws iam list-users |grep -i username > list_users ; cat list_users |awk '{print $NF}' |tr '\"' ' ' |tr '\,' ' '|while read user; do echo "\n\n--------------Getting information for user $user-----------\n\n" ; aws iam list-user-policies --user-name $user --output yaml; aws iam list-groups-for-user  --user-name $user --output yaml;aws iam  list-attached-user-policies --user-name $user --output yaml ;done ;echo;echo

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Adiii
Solution 2 linux.cnf

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function