Monitor AWS Managed IAM Policies

Disclaimer

Thanks to @0xdabbad00 from SummitRoute for the original idea.

Purpose

This pet project automates the retrieval of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS) using “Watch” feature from Github or RSS.

When your app relies on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scene. It’s also interesting to monitor new AWS services releases prior announcements :)

Link: MAMIP - Monitor AWS Managed IAM Policies

Usage

Two options

  1. Activate Releases Only notifications of Github

setup

  1. Subscribe to the Github RSS Feed (master branch)

How it works behind the scene

These are acquired as follows:

aws iam list-policies > list-policies.json
cat list-policies.json | jq -cr '.Policies[] | select(.Arn | contains("iam::aws"))|.Arn +" "+ .DefaultVersionId+" "+.PolicyName' | xargs -n3 sh -c 'aws iam get-policy-version --policy-arn $1 --version-id $2 > "policies/$3"' sh

This does the following:

  • Gets the list of all policies in the account
  • Finds the ones with an ARN containing iam::aws, so that only the AWS managed policies are grabbed.
  • Gets the ARN, current version id, and policy name (needed so we don’t have a slash as the ARN does for writing a file)
  • Calls aws iam get-policy-version with those values, and writes the output to a file using the policy name.

Automation Steps

  • Update the EC2 system
  • Install requirements: git, jq, SSH private key
  • Clone the repository
  • Run the magic (previous command)
  • Commit changes if any
  • Push (with tags for release)

Schedule

  • Once a day

Schema

schema

Todo

  • Migrate to Docker instead of EC2.
  • Check serverless version done by RyPeck

Link: MAMIP - Monitor AWS Managed IAM Policies


comments powered by Disqus