94 lines
3.6 KiB
Python
Executable File
94 lines
3.6 KiB
Python
Executable File
#!/usr/bin/python3
|
|
import boto3
|
|
import jmespath
|
|
import time
|
|
import re
|
|
import json
|
|
from pprint import pprint
|
|
from jmespath.exceptions import JMESPathTypeError
|
|
|
|
|
|
# dump user/group/role last activity
|
|
|
|
def generateLastAccessed(myclient, arn, myAccountId):
|
|
response = myclient.generate_service_last_accessed_details(
|
|
Arn=arn,
|
|
Granularity='SERVICE_LEVEL')
|
|
jobId = response.get("JobId")
|
|
accessDetails = client.get_service_last_accessed_details(JobId=jobId, MaxItems=20)
|
|
while True:
|
|
time.sleep(2)
|
|
accessDetails = client.get_service_last_accessed_details(JobId=jobId, MaxItems=20)
|
|
if accessDetails.get("JobStatus") != "COMPLETED":
|
|
continue
|
|
else:
|
|
break
|
|
r2 = client.list_policies_granting_service_access(
|
|
Arn=arn,
|
|
ServiceNamespaces=jmespath.search("ServicesLastAccessed[*].ServiceNamespace", accessDetails)
|
|
)
|
|
returnString = []
|
|
# try:
|
|
for p in jmespath.search("PoliciesGrantingServiceAccess[*].Policies[]", r2):
|
|
if p.get("PolicyType") == "INLINE":
|
|
returnString.append("INLINE:" + p.get("PolicyName"))
|
|
else:
|
|
if myAccountId in p.get("PolicyArn"):
|
|
returnString.append(p.get("PolicyArn"))
|
|
# except JMESPathTypeError:
|
|
# pass
|
|
return list(dict.fromkeys(returnString))
|
|
|
|
|
|
sts = boto3.client('sts')
|
|
accountId = sts.get_caller_identity()["Account"]
|
|
|
|
client = boto3.client('iam')
|
|
print("=" * 40)
|
|
print("** Users **")
|
|
print("=" * 40)
|
|
entity = client.list_users()
|
|
for u in jmespath.search("Users[*]", entity):
|
|
accessKeyQuery = client.list_access_keys(UserName=u.get('UserName'))
|
|
keys = accessKeyQuery.get("AccessKeyMetadata")
|
|
print("UserName", u.get("UserName"), sep=": ")
|
|
print("CreateDate", u.get("CreateDate"), sep=": ")
|
|
print("PasswordLastUsed", u.get("PasswordLastUsed"), sep=": ")
|
|
doPolicyLastUsed = False if u.get("PasswordLastUsed") is None else True
|
|
for k in accessKeyQuery.get("AccessKeyMetadata"):
|
|
print("AccessKeyId", k.get("AccessKeyId"), sep=": ")
|
|
print("AccessKeyStatus", k.get("Status"), sep=": ")
|
|
if k.get("Status") == "Inactive":
|
|
doPolicyLastUsed = False
|
|
print("AccessKeyCreateDate", k.get("CreateDate"), sep=": ")
|
|
akLastUsedQuery = client.get_access_key_last_used(AccessKeyId=k.get("AccessKeyId"))
|
|
print("AccessKeyLastUsed", akLastUsedQuery.get("AccessKeyLastUsed").get("LastUsedDate"), sep=": ")
|
|
if doPolicyLastUsed:
|
|
print("CustomerPolicyLastUsed", generateLastAccessed(client, u.get("Arn"), accountId), sep=": ")
|
|
print("-" * 10)
|
|
|
|
print("=" * 40)
|
|
print("** Groups **")
|
|
print("=" * 40)
|
|
entity = client.list_groups()
|
|
print("GroupName", "CreateDate", sep=",")
|
|
for g in jmespath.search("Groups[*]", entity):
|
|
print(g.get("GroupName"), g.get("CreateDate"), sep=", ")
|
|
|
|
print("=" * 40)
|
|
print("** Roles **")
|
|
print("=" * 40)
|
|
entity = client.list_roles()
|
|
for r in jmespath.search("Roles[*]", entity):
|
|
if re.match("^/.*service-role/.*", r.get("Path")) is not None or re.match("^/aws-reserved/",
|
|
r.get("Path")) is not None:
|
|
continue
|
|
getRoleQuery = client.get_role(RoleName=r.get("RoleName"))
|
|
r1 = getRoleQuery.get("Role")
|
|
print("RoleName", r1.get("RoleName"), sep=": ")
|
|
print("CreateDate", r1.get("CreateDate"), sep=": ")
|
|
print("RoleLastUsed", jmespath.search("RoleLastUsed.LastUsedDate", r1), sep=": ")
|
|
if jmespath.search("RoleLastUsed.LastUsedDate", r1) is not None:
|
|
print("CustomerPolicyLastUsed", generateLastAccessed(client, r1.get("Arn"), accountId), sep=": ")
|
|
print("-" * 10)
|