This article was originally posted in September 2019. Updated in February 2020.

Disclaimer

Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing.

Purpose

When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scenes. It’s also interesting to monitor new AWS service releases ahead of the announcements to get spoiled.

This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS), using the “Watch” feature on GitHub, RSS or a dedicated Twitter Account.

twitter pics

Link: MAMIP - Monitor AWS Managed IAM Policies

Usage

Three options

  1. Activate Releases Only notifications on GitHub

setup

  1. Subscribe to the GitHub RSS Feed (master branch)

How it works behind the scenes

Schema

schema

Managed Policies are acquired as follows:

1
2
3

aws iam list-policies > list-policies.json

cat list-policies.json | jq -cr '.Policies[] | select(.Arn | contains("iam::aws"))|.Arn +" "+ .DefaultVersionId+" "+.PolicyName' | xargs -n3 sh -c 'aws iam get-policy-version --policy-arn $1 --version-id $2 > "policies/$3"' sh

This does the following (the magic):

  • Gets the list of all policies in the AWS Account.
  • Finds the ones with an ARN containing iam::aws, so that only the AWS managed policies are grabbed.
  • Gets the ARN, current version id, and policy name (needed so we don’t have a slash like the ARN does when writing a file).
  • Calls aws iam get-policy-version with those values, and writes the output to a file using the policy name.

Automation Steps

  1. Clone the mamip repository.
  2. Run the magic (previous command).
  3. Commit changes if any.
  4. Push (with tags for release) to GitHub.
  5. Send a message to an SQS queue (qTweet).
  6. A Lambda function is triggered on SQS message, then pushes the message to Twitter.

Schedule

  • Every 4 hours

That’s all folks!

zoph.