Skip to content

Public repo containing a credential reporting script used to display IAM user metrics for access control purposes. Outputs a .csv file.

License

Notifications You must be signed in to change notification settings

dynamic-stall/aws-iam-credential-report

Repository files navigation

AWS IAM (Identity & Access Management) Credential Reporting Script


BLUF: This repo contains a script used to pull IAM user metrics from an AWS account and output it as a .csv file. The script first performs an IAM Credential Report for username, password, and access key data (PW/key age, console/programmatic access, service last used, etc.), then pulls in group policy and attached user policy information per user. The user data is organized and cleaned using Bash and Python commands, respectively.


You can modify this for your account/organization needs, as well as add the --profile option if the AWS account in question is segmented as such.


NOTE: My Python is quite basic. Obviously, feel free to modify this script to suit your own data cleansing workflow. The most important parts are the AWS commands; y'all can do what you want from there!


NOTE II: Speaking of Python, take some time to read through the data cleansing section, particularly line 38. Some of the columns I dropped may be useful for your needs; just delete them from the purge, if that is the case.


In previous roles I've worked, I always pushed this to an S3 bucket for centralized access and back-up purposes. This part of the script (at the bottom) is commented out. Modify that part per your S3 bucket name or get rid of it if you have a different workflow.


I've included a sample output report using dummy IAM users in my personal AWS account for y'all to see the final product. I HIGHLY recommend opening this in Excel (or Google Sheets) for formatting and presentation (obvi, be sure to save as a .xlsx file).


Requirements

  • AWS CLI (refer to this link for install instructions)

    • If you aren't familiar with the aws configure process, refer to the following
  • Miniconda (3.x) or Python3 (install script is included in this repo; it should install the latest ver. of Miniconda3 based on your OS)

  • Some kind of Linux distro (ideally, a RH-based distro or Amazon Linux); WSL works...


Instructions

  1. Install Miniconda by running the install script. If Miniconda (or Python) is already installed, be sure to modify line 31 of credential-report.sh to point to your installation:
./install-miniconda3.sh
  • (NOTE: If you have trouble with the install script due to your machine type (i.e., janky OS install on a Raspberry Pi, etc.), I recommend consulting the official documentation.
  1. (Optional, but recommended) Create a virtual conda environment to avoid potential conflicts with other Python packages you may work with in the future:
conda create -n iam_report python=3.12
conda activate iam_report
  1. Install Pandas and Numpy Python libraries (if not already present), which the script requires for data cleansing:
pip install pandas numpy
  1. Run the credential-report.sh script:
./credential-report.sh
  1. Wait 120 seconds (update part of line 7 to read 300s or larger depending on the size of your organization / AWS account; Wait time is used for the IAM Credential Report to complete before the rest of the script runs), then wait for the rest of the script to complete (the script will tell you which step is processing via echo commands).

About

Public repo containing a credential reporting script used to display IAM user metrics for access control purposes. Outputs a .csv file.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages