Skip to content
[MAMIP] Monitor AWS Managed IAM Policies Changes
HCL Makefile Shell Python Dockerfile
Branch: master
Clone or download
Pull request Compare This branch is 46 commits ahead, 25 commits behind SummitRoute:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
assets
automation
policies
.gitignore
Makefile
README.md

README.md

[MAMIP] Monitor AWS Managed IAM Policies 📢

Thanks to @0xdabbad00 from SummitRoute for the original idea, this repo only automate the retrieval of new AWS Managed IAM Policies make it easier to monitor and get alerted when changes occurs using "Watch" feature of Github.

I'm using this excuse for learning and experiment new stuff: Automation, Terraform, and Containers with AWS Fargate.

Usage

Two options

  1. Activate Releases Only feature of Github

setup

  1. Subscribe to the Github RSS Feed (master branch)

How it works behind the scene

These are acquired as follows:

aws iam list-policies > list-policies.json
cat list-policies.json | jq -cr '.Policies[] | select(.Arn | contains("iam::aws"))|.Arn +" "+ .DefaultVersionId+" "+.PolicyName' | xargs -n3 sh -c 'aws iam get-policy-version --policy-arn $1 --version-id $2 > "policies/$3"' sh

This does the following:

  • Gets the list of all policies in the account
  • Finds the ones with an ARN containing iam::aws, so that only the AWS managed policies are grabbed.
  • Gets the ARN, current version id, and policy name (needed so we don't have a slash like the ARN does for writing a file)
  • Calls aws iam get-policy-version with those values, and writes the output to a file using the policy name.

Automation Steps

  • Infrastructure is deployed using:
    • EC2: CloudFormation
    • Fargate: Terraform
  • Update the Operating System (OS)
  • Install requirements: git, jq, add SSH private key
  • Clone this repository
  • Run the magic (previous mentioned command)
  • If changes detected:
    • Commit changes
    • Push (with tags for GH release)

Schedule

  • EC2 Instance: Once a day using Spot Instance
  • Fargate: Every 6 hours (Current active version)

EC2 Version Schema (CloudFormation)

schema ec2

Fargate Version Schema (Terraform)

schema fargate

You can’t perform that action at this time.