/
verify-account-policies.sh
executable file
·179 lines (155 loc) · 5.69 KB
/
verify-account-policies.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/bash
while getopts u:p:f:c:a:s:r: flag
do
case "${flag}" in
u) username=${OPTARG};;
p) policies=${OPTARG};;
f) policies_file=${OPTARG};;
c) custom_policies_file=${OPTARG};;
a) access_key=${OPTARG};;
s) secret_key=${OPTARG};;
r) region=${OPTARG};;
esac
done
if [ "$1" == "-h" ];
then
echo "Checks if an IAM user has the provided policies attached"
echo ""
echo "Arguments:"
echo " -u [Required] Username whose policies will be checked."
echo " -p [Optional] Policies to be checked, splitted by comma."
echo " -f [Optional] Path to a file containing the policies to be checked."
echo " -c [Optional] Path to a file containing the custom policies to be checked."
echo " -a [Optional] AWS administrator access key"
echo " -s [Optional] AWS administrator secret key"
echo " -r [Optional] AWS region"
exit
fi
green='\e[1;32m'
red='\e[0;31m'
white='\e[1;37m'
#Argument check
if [ -z "$username" ] || { [ -z "$policies" ] && [ -z "$policies_file" ] && [ -z "$custom_policies_file" ]; }
then
echo -e "${red}Error: Missing parameters, -u and -p, -f or -c flags are mandatory." >&2
echo -e "${red}Use -h flag to display help." >&2
exit 2
fi
#AWS credentials setup
if [ -n "$access_key" ] && [ -n "$secret_key" ];
then
echo "Setting up your AWS credentials..."
export AWS_ACCESS_KEY_ID=$access_key
export AWS_SECRET_ACCESS_KEY=$secret_key
fi
#AWS region
if [ -n "$region" ];
then
echo "Setting up your AWS region..."
export AWS_DEFAULT_REGION=$region
fi
#AWS default output
export AWS_DEFAULT_OUTPUT=json
#Check if AWS CLI is installed
if ! [ -x "$(command -v aws)" ]; then
echo -e "${red}Error: AWS CLI is not installed." >&2
exit 127
fi
#Check if Python is installed
if ! [ -x "$(command -v python)" ]; then
echo -e "${red}Error: Python is not installed." >&2
exit 127
fi
#Check if AWS credentials are valid
aws sts get-caller-identity &> /dev/null
if ! [ $? -eq 0 ]
then
echo -e "${red}Error: Invalid AWS credentials. Please use -a and -s flags to set them correctly." >&2
exit 2
fi
#Get user groups
echo "Getting user groups..."
user_groups=($(aws iam list-groups-for-user --user-name $username --query 'Groups[].[GroupName]' --output text))
#Loop user groups and get policies from them
echo "Getting policies attached to user groups..."
groups_policies=()
for group in ${user_groups[@]}
do
cleangroup=$(echo $group | tr -cd '\11\12\15\40-\176')
groups_policies+=($(aws iam list-attached-group-policies --group-name $cleangroup --query 'AttachedPolicies[].[PolicyArn]' --output text))
done
#Get user-specific policies
echo "Getting user-specific policies..."
user_policies=($(aws iam list-attached-user-policies --user-name $username --query 'AttachedPolicies[].[PolicyArn]' --output text))
all_policies=( "${groups_policies[@]}" "${user_policies[@]}")
#Inline policies check
if [ -n "$policies" ];
then
echo "Checking inline provided policies..."
IFS=',' read -ra policies_array <<< "$policies"
for policy_to_check in "${policies_array[@]}"; do
policy_to_check=$(echo $policy_to_check | tr -cd '\11\12\15\40-\176')
policy_exists=$(printf '%s\n' "${all_policies[@]}" | grep "$policy_to_check")
if [ -n "$policy_exists" ];
then
echo -e "${green}OK $policy_to_check"
else
echo -e "${red}FAILED $policy_to_check"
exit 1;
fi
echo -e "${white}"
done
fi
#File policies check
if [ -n "$policies_file" ];
then
echo "Checking file provided policies..."
IFS=$'\r\n' GLOBIGNORE='*' command eval 'policies_file_array=($(cat ${policies_file}))'
for policy_to_check in "${policies_file_array[@]}"
do
policy_to_check=$(echo $policy_to_check | tr -cd '\11\12\15\40-\176')
policy_exists=$(printf '%s\n' "${all_policies[@]}" | grep "$policy_to_check")
if [ -n "$policy_exists" ];
then
echo -e "${green}OK $policy_to_check"
else
echo -e "${red}FAILED $policy_to_check"
exit 1;
fi
done
fi
#Custom policies check
if [ -n "$custom_policies_file" ];
then
echo -e "${white}Checking custom policies..."
#Group custom policies add to var
json_custom_policies="["
for group in ${user_groups[@]} #Loop all groups
do
cleangroup=$(echo $group | tr -cd '\11\12\15\40-\176')
group_custom_policies=($(aws iam list-group-policies --group-name $cleangroup --query 'PolicyNames[]' --output text))
#Loop all custom policies from the group
for group_custom_policy in "${group_custom_policies[@]}" #Loop all groups
do
json_custom_policies+=$(aws iam get-group-policy --group-name $cleangroup --policy-name $group_custom_policy)
json_custom_policies+=","
done
done #All group custom policies are included in json_custom_policy var
#User specific custom policies add to var
user_custom_policies=($(aws iam list-user-policies --user-name $username --query 'PolicyNames[]' --output text))
for user_custom_policy in "${user_custom_policies[@]}" #Loop all groups
do
json_custom_policies+=$(aws iam get-user-policy --user-name $username --policy-name $user_custom_policy)
json_custom_policies+=","
done
json_custom_policies="${json_custom_policies::-1}"
json_custom_policies+="]"
#Check custom policies
python custom-policies-check.py "${json_custom_policies}" $custom_policies_file
#Return correct exit code depending on python script execution
ret=$?
if [ $ret -ne 0 ]; then
#Error
exit 1;
fi
fi