duo-labs/cloudmapper

Have command to output all IAM policies for a principal

Open

#500 opened on Aug 1, 2019

View on GitHub
 (1 comment) (0 reactions) (0 assignees)JavaScript (5,670 stars) (789 forks)batch import
enhancementgood first issue

Description

find_admins can find specific privileges, but once identified, you'll want to get better insight into it. You'll want to see all of the policies applied to that principal, across their inline policies, managed policies, and those associated with groups. I should have a command to dump the IAM policies of a principal as json, with references to where these policies came from.

Contributor guide

Tech stack
pythonaws
Domain
backendcloudsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
AWS IAM knowledgePython programmingFamiliarity with cloudmapper codebase
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the existing 'find admins' command as a model for implementing a new command to dump IAM policies. Look at how cloudmapper currently uses AWS SDK (boto3) to list and get IAM policies. The command should output JSON with policy details and their sources (inline, managed, group). Consider adding a new module similar to 'commands/find admins.py' and a corresponding entry in 'cloudmapper.py'. The issue has one comment that suggests this is a requested feature; ensure the implementation follows the same pattern as other commands.