AWS Identity and Access Management (IAM) is a crucial part of managing access to your AWS resources. In this blog post, we’ll explore how to use the Boto3 library in Python to list IAM users and check if they have the ‘AdministratorAccess’ policy attached.
Getting Started
Start by installing the Boto3 library:
pip install boto3Now, let’s create a straightforward Python script to perform these IAM operations.
import boto3
def check_admin_access():
# Create an IAM client
client = boto3.client('iam')
# List IAM users
users = []
response = client.list_users()
for user_data in response['Users']:
user_name = user_data['UserName']
users.append(user_name)
# Check attached policies for each user
for user in users:
# Check attached managed policies
policies = client.list_attached_user_policies(UserName=user)
for attached_policy in policies.get('AttachedPolicies', []):
if attached_policy['PolicyName'] == 'AdministratorAccess':
print(user, "has AdministratorAccess")
# Check inline policies
inline_policies = client.list_user_policies(UserName=user)
for policy_name in inline_policies.get('PolicyNames', []):
# Get policy version
policy_version = client.get_user_policy(
UserName=user,
PolicyName=policy_name
)
# Check if the inline policy allows all actions
if '*' in policy_version['PolicyDocument'].get('Statement', [{}])[0].get('Action', []):
print(user, "has AdministratorAccess (Inline Policy)")
if __name__ == "__main__":
check_admin_access()Running the Script
Save the script to a file, for example, iam_checker.py. Execute the script:
python iam_checker.pyThe script connects to AWS, lists all users, and reports if any have the ‘AdministratorAccess’ policy attached.
Conclusion
This script showcases the capability of Boto3 in interacting with AWS IAM. Extend it for advanced IAM operations or incorporate it into broader AWS automation workflows. Always handle AWS credentials securely and consider AWS Identity Federation for robust access management.
Secure your AWS resources! This Python script identifies IAM users with AdministratorAccess privileges using Boto3. Run it regularly to maintain least privilege and tighten IAM security.
