0.1.82 • Published 4 months ago

@cloud-copilot/iam-collect v0.1.82

Weekly downloads
-
License
AGPL-3.0-or-later
Repository
github
Last release
4 months ago

iam-collect

NPM Version License: AGPL v3 GuardDog Known Vulnerabilities

Get every possible policy in any set of AWS accounts. This is built to run out of the box in simple use cases, and also work in terribly oppressive environments with a little more configuration. If you want to analyze IAM data at scale this is what you've been looking for.

Table of Contents

  1. Tenets
  2. Introduction
  3. Getting Started
  4. Configuration
  5. Authentication
  6. Storage
  7. Filtering
  8. Indexing
  9. CLI
  10. History
  11. Supported Services and Data

iam-collect Tenets

  1. Centralized Store all your data across all partitions, organizations, accounts, and regions in one place. This is a single source of truth for all your IAM data.
  2. Easy A few commands and you can get started and everything should just work. If resources no longer exist, data is cleaned up automatically.
  3. Configurable Store your data on disk or in S3. You can configure exactly what accounts, regions, and services you want to collect data for; and customize auth for each.

Introduction

What is iam-collect?

iam-collect is a command-line tool that aggregates every IAM-related resource and policy across any number of AWS accounts, regions, and partitions into a single, consistent dataset. It requires minimal setup for simple use cases and allows flexible configuration to operate in even the most restrictive (compliance oriented) environments to give you a single source of truth for your IAM data.

Why use it?

  • Centralized store: Consolidate IAM data from multiple partitions, organizations, and accounts into one structured store.
  • Get everything: Collect all the polices from all the resources in all your accounts. Terraform will show you what was intended, iam-collect will show you what is actually there.
  • Audit and compliance: Generate comprehensive snapshots of your IAM landscape to support security reviews, audits, and forensics. The structured approach to storage makes it easy to build automation and tooling around the data.

How it works at a glance

Every time you run iam-collect download it will:

  1. Scan: Connect to AWS account(s) using your configured credentials or roles and retrieve IAM resources (users, roles, policies, etc.) from each target account.
  2. Store: Persist the data to your chosen storage (local filesystem or S3), organizing it by partition, account, service, and resource.
  3. Index: Build search-friendly JSON indexes that map resources to accounts and other relationships for fast lookups.

Then you use the data to analyze your IAM landscape, build reports, or integrate with other tools.

Getting Started

By default, iam-collect will use the credentials configured in your environment using the default credential chain. If you have the permissions in the SID CollectIAMData in the example policy everything will work for the current account you have credentials for.

You don't need the AWS CLI, but a good way to make sure your credentials are configured is to ensure you can run aws sts get-caller-identity and a command that requires a region be set such as aws ec2 describe-instances.

npm install -g @cloud-copilot/iam-collect
# Create a default configuration file
iam-collect init
# Download iam data from the current account to `./iam-data`
iam-collect download

Install

You need Node.js >= 20.

npm install -g @cloud-copilot/iam-collect

Initialize

iam-collect init

This will create a file called iam-collect.jsonc in the current directory with a simple default configuration and many comments on how to customize the configuration.

Download

iam-collect download

This will download the IAM data from the current account to the ./iam-data directory. You can change the output directory by modifying the storage.path property in the configuration. See the storage docs for more details.

Enjoy

ls -R ./iam-data

This will show you your data that was downloaded. See the storage docs for more details on the layout of the data.

Additional Docs

  • Configuration - Set the configuration files to use.
  • Authentication - Configure authentication for different accounts, services, and regions.
  • Storage - Configure where your data is stored.
  • Filtering - Configure what accounts, services, and regions are downloaded.
  • Indexing - Disable or manually run indexing.
  • CLI - Details on the CLI commands and options.
  • History - How to track history of changes.

Supported Services and Data

ServiceResource TypeData Downloaded
iamUsersname, path, id, groups, tags, inline policies, managed policies, permission boundary
iamGroupsname, path, id, inline policies, managed policies
iamRolesname, path, id, trust policy, inline policies, managed policies, instance profiles, tags, permission boundary
iamCustomer and AWS Managed Policiesname, path, id, default version, default version doc, tags
iamOIDC Providersarn, audiences, thumbprints, url, tags
iamSAML Providersarn, metadata document, uuid, private keys, valid until, tags
iamInstance Profilesarn, name, roles, id, path, tags
apigatewayRest APIsid, name, policy, tags
backupBackup Vaultsname, key arn, tags, policy
dynamodbStreamsname, arn, region, resource policy
dynamodbTablesname, arn, region, tags, resource policy
ecrRepositoriesname, arn, region, tags, resource policy, key id
ecrRegistriespolicy
ec2VPC Endpointsid, name, type, vpc, policy
elasticfilesystemFile Systemsname, id, key, encryption, tags, policy
glacierVaultsname, arn, region, tags, policy
glueRoot Catalogspolicy
kmsKeysid, policy, tags
lambdaFunctionsname, role, tags, policy
lambdaLayer Versionsname, arn, version, policy
ramShared Resourcesarn, resource shares, resource policy
s3Access Pointsname, bucket, bucket account, policy, block public access configuration, network origin, vpc, alias, endpoints
s3Bucketsname, region, tags, policy, block public access configuration, default encryption
s3Multi Region Access Pointsname, alias, regions, policy, block public access configuration
s3expressDirectory Bucketsname, encryption settings, policy
s3outpostsOutpost Bucketsname, region, tags, policy
s3outpostsOutpost Access Pointsname, bucket, bucket account, policy, network origin, vpc
s3tablesTable Bucketsname, region, bucket policy, encryption
organizationsOrganizationsid, arn, root account id, enabled policy types, org structure
organizationsOrganizational Unitsid, arn, parent ou, enabled SCPs, enabled RCPs, tags
organizationsAccountsid, arn, parent ou, enabled SCPs, enabled RCPs, tags
organizationsSCPs, RCPsid, arn, name, description, tags, policy
snsTopicsname, arn, tags, kms key id, policy
sqsQueuesname, arn, tags, kms key id, policy
ssoInstancesid, arn, name, owner account id, status, tags
ssoPermission Setsname, description, AWS managed policies, customer managed policies, inline policy, permission boundary, accounts, tags

If you don't see the data you are looking for, please check the open resource issues and comment on the issue or create a new one.

0.1.82

4 months ago

0.1.81

4 months ago

0.1.80

4 months ago

0.1.79

4 months ago

0.1.78

4 months ago

0.1.77

4 months ago

0.1.76

4 months ago

0.1.75

4 months ago

0.1.74

4 months ago

0.1.73

4 months ago

0.1.72

4 months ago

0.1.71

5 months ago

0.1.70

5 months ago

0.1.69

5 months ago

0.1.68

5 months ago

0.1.67

5 months ago

0.1.66

5 months ago

0.1.65

5 months ago

0.1.64

5 months ago

0.1.63

5 months ago

0.1.62

5 months ago

0.1.61

5 months ago

0.1.60

5 months ago

0.1.59

5 months ago

0.1.58

5 months ago

0.1.57

5 months ago

0.1.56

5 months ago

0.1.55

5 months ago

0.1.54

5 months ago

0.1.53

5 months ago

0.1.52

5 months ago

0.1.51

5 months ago

0.1.50

5 months ago

0.1.49

5 months ago

0.1.48

5 months ago

0.1.47

5 months ago

0.1.46

5 months ago

0.1.45

5 months ago

0.1.44

5 months ago

0.1.43

5 months ago

0.1.42

5 months ago

0.1.41

5 months ago

0.1.40

5 months ago

0.1.39

5 months ago

0.1.38

5 months ago

0.1.37

5 months ago

0.1.36

5 months ago

0.1.35

5 months ago

0.1.34

5 months ago

0.1.33

5 months ago

0.1.32

5 months ago

0.1.31

5 months ago

0.1.30

5 months ago

0.1.29

5 months ago

0.1.28

5 months ago

0.1.27

5 months ago

0.1.26

5 months ago

0.1.25

6 months ago

0.1.24

6 months ago

0.1.23

6 months ago

0.1.22

6 months ago

0.1.21

6 months ago

0.1.20

6 months ago

0.1.19

6 months ago

0.1.18

6 months ago

0.1.17

6 months ago

0.1.16

6 months ago

0.1.15

6 months ago

0.1.14

6 months ago

0.1.13

6 months ago

0.1.12

6 months ago

0.1.11

6 months ago

0.1.10

6 months ago

0.1.9

6 months ago

0.1.8

6 months ago

0.1.7

6 months ago

0.1.6

6 months ago

0.1.5

6 months ago

0.1.4

6 months ago

0.1.3

6 months ago

0.1.2

7 months ago

0.1.1

8 months ago