This Article was created posted in September 2019. Updated in February 2020.
When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scene. It’s also interesting to monitor new AWS services releases prior announcements to get spoiled.
This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS) using “Watch” feature from Github, RSS or dedicated Twitter Account.
Releases Onlynotifications of Github
- Subscribe to the Github RSS Feed (master branch)
How it works behind the scene
Managed Policies are acquired as follows:
aws iam list-policies > list-policies.json cat list-policies.json | jq -cr '.Policies | select(.Arn | contains("iam::aws"))|.Arn +" "+ .DefaultVersionId+" "+.PolicyName' | xargs -n3 sh -c 'aws iam get-policy-version --policy-arn $1 --version-id $2 > "policies/$3"' sh
This does the following (the magic):
- Gets the list of all policies in the AWS Account
- Finds the ones with an ARN containing
iam::aws, so that only the AWS managed policies are grabbed.
- Gets the ARN, current version id, and policy name (needed so we don’t have a slash as the ARN does for writing a file)
aws iam get-policy-versionwith those values, and writes the output to a file using the policy name.
- Clone the mamip repository
- Run the magic (previous command)
- Commit changes if any
- Push (with tags for release) to Github
- Send message to a SQS queue (qTweet)
- A Lambda function is triggered on SQS message, then push message to Twitter
- Every 4 hours
That’s all folks!