Can I search existing IAM policies for a specific action?

2018-06-06 11:29:48

In AWS IAM is there a way, either by scripting or in the web console, to find which existing policies contain a given action?

For example, I want to allow role myRole to have access to the DescribeTags action on all of my EC2 instances. I know I can create my own policy with an appropriate rule, but would like to use an existing Amazon policy if such a thing exists.

Yes you can search for available policy in the web console check this screenshot below.

在这里输入图像描述

This is an old post, but it may help someone... Despite what others have said, you can do this. It just requires a bit of scripting.

You can do the following with the AWS CLI.

Get the ARNs of the policies and store in the policies_arn array.

mapfile -t policies_arn < <(aws iam list-policies --query 'Policies[*].[Arn]' --output text)

Get the VersionIds for each policy and store in the policies_ver array.

mapfile -t policies_ver < <(aws iam list-policies --query 'Policies[*].[DefaultVersionId]' --output text)

Use a for loop to loop through each policy and store the policy document in ~/policies.txt

for (( i=0; i<${#policies_arn[@]}; i++ )); do echo ${policies_arn[i]} >> policies.txt && aws iam get-policy-version --policy-arn ${policies_arn[i]} --version-id ${policies_ver[i]} --output json >> ~/policies.txt; done

Open up policies.txt in a text editor and search for your action.

Note: Depending on your CLI configuration, you may or may not need the --output text parameter. However, the output must be text (not JSON) in order for this to work.

From there, you can turn that into a .sh shell script easily enough.

Sample Output:

arn:aws:iam::123456789012:policy/DenyAllAccess
{
    "PolicyVersion": {
        "CreateDate": "2016-12-06T18:40:51Z",
        "VersionId": "v1",
        "Document": {
            "Statement": [
                {
                    "Action": "*",
                    "Effect": "Deny",
                    "Resource": "*"
                }
            ],
            "Version": "2012-10-17"
        },
        "IsDefaultVersion": true
    }
}

Cheers!

链接地址: http://www.djcxy.com/p/20108.html

上一篇: 适用于Amazon AWS的IAM策略，允许有限访问Route 53

下一篇: 我可以搜索现有IAM策略以进行特定操作吗？