A tool for enforcing least privilege principle for IAM roles.
- AWS Cli and an AWS credentials file set up
- Node.js
- Find a user or role name to create a policy for. You can browse the most recent events in the CloudTrail console. (The second half of the "principalId" also works as a username.)
- Run the script:
AWS_REGION=<us-east-1> AWS_PROFILE=<aws-profile-name> ROLE_NAME=<role-name> npm start
(Replace the items in the angle brackets with the relevant values.) - Examine
policy.json
This is a really rough attempt at constructing a policy based on role/user access patterns. There are some key limitations:
- It doesn't pull all events from CloudTrail, just the most recent. This may mean key actions are not included in the policy.
- The approach to constructing the policy is naive – if an ARN can be extracted from the event, it is used as the "resource" to specify for the action. It is also modified to a wildcard ARN, to improve the flexibility of the policy. This may be undesirable. In a future iteration, it may be desirable to prompt the user to:
- Use plain wildcards for every action
- Use partial wildcards
- Prompt on each ARN
- It doesn't validate the output policy, so some adjustment is almost always necessary. In conjunction with the previous issue, sometimes it provides a resource-level permission when only a wildcard is suitable.