<p align="center">
<img src="https://raw.githubusercontent.com/orcasecurity/orca-toolbox/main/iam-ape/iam-ape.png" width="680" height="350">
</p>
## IAM AWS Policy Evaluator ##
APE takes all of your AWS IAM policies attached to a User, Group, or Role object, and presents you with a single policy,
summarizing all of their *actual* permissions.
Taking into account permissions, denials, inherited permissions and permission boundaries!
## Setup ##
*Requires Python >= 3.9*
### From PyPI ###
1. Run `pip install iam-ape`
2. Run `iam-ape`
### From source
1. Clone this repository
2. Change directory to iam_ape
3. Run `python -m pip install .`
4. Run `iam-ape`
## Usage ##
> #### Prerequisite ####
> Have [aws-cli](https://aws.amazon.com/cli/) installed on your machine and a profile with `aws:GetAccountAuthorizationDetails` permissions.
Alternatively, have the json output from `aws iam get-account-authorization-details` saved to a file.
> Before your first run, it's recommended to run `iam-ape --update` - this updates APE's database with the most current list of all available AWS IAM actions.
The simplest way to use `iam-ape` is to simply run `iam-ape --arn <your-arn-here>`
APE will then attempt to fetch the account authorization details, evaluate your permissions, and output a neatly formatted policy to stdout
#### The `--input` flag: ####
If you don't want to fetch the report every time, you can run `aws iam get-account-authorization-details` by yourself and save the output to a json file. You can then pass that output to APE using the `--input` flag.
#### Additional flags: ####
`-o, --output` write the output to file instead of stdout
`-f, --format (clean|verbose)` output the policy in _clean_, AWS policy-like JSON format, or a long _verbose_ JSON containing all specific actions allowed to the entity, the denied actions, and the ineffective (allowed in one place, denied in another) permissions.
`-p, --profile` the AWS CLI profile to use when fetching Account Authorization Details
`-u, --update` update APE's database with the most current list of all available AWS IAM actions
`-v, --verbose` set logging level to DEBUG
**Important note**: the policy created by this tool might not always be compliant with AWS's constraints. For example, if a user is granted `ec2:AttachVolume` access to `arn:aws:ec2:*` by one policy, but denied access to `arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc`, the resulting policy statement will look like this:
```json
{
"Action": "ec2:AttachVolume",
"Resource": "arn:aws:ec2:*",
"NotResource": "arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc"
}
```
This statement, having both `Resource` and `NotResource` together, is not supported by AWS but makes more sense when trying to understand what the effective permissions of a user are.
## Roadmap ##
- [ ] Add an option to supply a resource policy and evaluate whether the entity has access to that resource
- [ ] Support additional permissions inherited by Role assumption
- [x] Support SCP Policies
Raw data
{
"_id": null,
"home_page": "https://github.com/orcasecurity/orca-toolbox/raw/main/iam-ape/",
"name": "iam-ape",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8,<4.0",
"maintainer_email": "",
"keywords": "aws,iam",
"author": "Tohar Braun, Orca Security",
"author_email": "tohar@orca.security",
"download_url": "https://files.pythonhosted.org/packages/a3/a9/45ee6ce52a2c7f88f4edf2bf54c93f370b07454037aa7880f445719db8eb/iam_ape-1.1.5.tar.gz",
"platform": null,
"description": "<p align=\"center\">\n <img src=\"https://raw.githubusercontent.com/orcasecurity/orca-toolbox/main/iam-ape/iam-ape.png\" width=\"680\" height=\"350\">\n</p>\n\n## IAM AWS Policy Evaluator ##\n\nAPE takes all of your AWS IAM policies attached to a User, Group, or Role object, and presents you with a single policy,\nsummarizing all of their *actual* permissions.\nTaking into account permissions, denials, inherited permissions and permission boundaries!\n\n## Setup ##\n*Requires Python >= 3.9*\n### From PyPI ###\n1. Run `pip install iam-ape`\n2. Run `iam-ape`\n\n### From source\n1. Clone this repository\n2. Change directory to iam_ape\n3. Run `python -m pip install .`\n4. Run `iam-ape`\n\n## Usage ##\n> #### Prerequisite ####\n> Have [aws-cli](https://aws.amazon.com/cli/) installed on your machine and a profile with `aws:GetAccountAuthorizationDetails` permissions. \nAlternatively, have the json output from `aws iam get-account-authorization-details` saved to a file. \n\n> Before your first run, it's recommended to run `iam-ape --update` - this updates APE's database with the most current list of all available AWS IAM actions. \n\nThe simplest way to use `iam-ape` is to simply run `iam-ape --arn <your-arn-here>` \nAPE will then attempt to fetch the account authorization details, evaluate your permissions, and output a neatly formatted policy to stdout \n#### The `--input` flag: ####\nIf you don't want to fetch the report every time, you can run `aws iam get-account-authorization-details` by yourself and save the output to a json file. You can then pass that output to APE using the `--input` flag.\n\n#### Additional flags: ####\n`-o, --output` write the output to file instead of stdout \n`-f, --format (clean|verbose)` output the policy in _clean_, AWS policy-like JSON format, or a long _verbose_ JSON containing all specific actions allowed to the entity, the denied actions, and the ineffective (allowed in one place, denied in another) permissions. \n`-p, --profile` the AWS CLI profile to use when fetching Account Authorization Details \n`-u, --update` update APE's database with the most current list of all available AWS IAM actions \n`-v, --verbose` set logging level to DEBUG\n\n**Important note**: the policy created by this tool might not always be compliant with AWS's constraints. For example, if a user is granted `ec2:AttachVolume` access to `arn:aws:ec2:*` by one policy, but denied access to `arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc`, the resulting policy statement will look like this:\n```json\n{\n \"Action\": \"ec2:AttachVolume\",\n \"Resource\": \"arn:aws:ec2:*\",\n \"NotResource\": \"arn:aws:ec2:us-east-1:123456789012:instance/i-123456abc\"\n}\n```\nThis statement, having both `Resource` and `NotResource` together, is not supported by AWS but makes more sense when trying to understand what the effective permissions of a user are.\n\n## Roadmap ##\n- [ ] Add an option to supply a resource policy and evaluate whether the entity has access to that resource \n- [ ] Support additional permissions inherited by Role assumption\n- [x] Support SCP Policies",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "IAM AWS Permissions Evaluator",
"version": "1.1.5",
"project_urls": {
"Homepage": "https://github.com/orcasecurity/orca-toolbox/raw/main/iam-ape/",
"Repository": "https://github.com/orcasecurity/orca-toolbox/raw/main/iam-ape/"
},
"split_keywords": [
"aws",
"iam"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b117a3afefae6835951f2efa09e7cda97874db96086a7ca8d4e881e949faf8d4",
"md5": "000bf8b01c77edfe2fbf5b70d9e069ec",
"sha256": "fa123ed9bcf02992e10946d6c0a3cf0126e2992d01a4f3714a89e3736f74fe34"
},
"downloads": -1,
"filename": "iam_ape-1.1.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "000bf8b01c77edfe2fbf5b70d9e069ec",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8,<4.0",
"size": 301786,
"upload_time": "2023-08-11T05:51:38",
"upload_time_iso_8601": "2023-08-11T05:51:38.876058Z",
"url": "https://files.pythonhosted.org/packages/b1/17/a3afefae6835951f2efa09e7cda97874db96086a7ca8d4e881e949faf8d4/iam_ape-1.1.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "a3a945ee6ce52a2c7f88f4edf2bf54c93f370b07454037aa7880f445719db8eb",
"md5": "4903a6c7753ba96723fa2f725fe69181",
"sha256": "f0f69628e43c764a019df33868d4408f40f9a65625038bd20c2d8b0ca9a39557"
},
"downloads": -1,
"filename": "iam_ape-1.1.5.tar.gz",
"has_sig": false,
"md5_digest": "4903a6c7753ba96723fa2f725fe69181",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8,<4.0",
"size": 301670,
"upload_time": "2023-08-11T05:51:40",
"upload_time_iso_8601": "2023-08-11T05:51:40.744285Z",
"url": "https://files.pythonhosted.org/packages/a3/a9/45ee6ce52a2c7f88f4edf2bf54c93f370b07454037aa7880f445719db8eb/iam_ape-1.1.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-08-11 05:51:40",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "orcasecurity",
"github_project": "orca-toolbox",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "iam-ape"
}
JSON
