aws.iam package

Submodules

aws.iam.helpers module

aws.iam.helpers.user_is_inactive(iam_user, no_activity_since, created_after)

Returns False if any of these are true:

• The user was created after the passed in “created_after” datetime.

• The user has used either potentially active access keys since the date that is “no_activity_since”

• The user has logged into the AWS console since the date that is “no_activity_since”

else it will return True.

>>> from datetime import datetime
>>> no_activity_since = datetime(2017, 1, 1)
>>> created_after = datetime(2018, 1, 8)

User considered active due to being created after the created_after datetime. >>> user_is_inactive({‘user_creation_time’: ‘2018-01-10’}, created_after, no_activity_since) False

User considered active due to usage of access key 1 after no_activity_since >>> user_is_inactive({ … ‘user_creation_time’: ‘2016-01-10’, … ‘access_key_1_active’: ‘true’, … ‘access_key_1_last_used_date’: ‘2017-06-01’, … }, no_activity_since, created_after) False

User considered active due to usage of access key 2 after no_activity_since >>> user_is_inactive({ … ‘user_creation_time’: ‘2010-01-10’, … ‘access_key_1_active’: ‘true’, … ‘access_key_1_last_used_date’: ‘2014-06-01’, … ‘access_key_2_active’: ‘true’, … ‘access_key_2_last_used_date’: ‘2017-02-01’, … }, no_activity_since, created_after) False

User considered active due to usage of password after no_activity_since >>> user_is_inactive({ … ‘user_creation_time’: ‘2010-01-10’, … ‘access_key_1_active’: ‘true’, … ‘access_key_1_last_used_date’: ‘2014-06-01’, … ‘access_key_2_active’: ‘false’, … ‘access_key_2_last_used_date’: ‘N/A’, … ‘password_enabled’: ‘true’, … ‘password_last_used’: ‘2017-09-01’, … }, no_activity_since, created_after) False

User considered inactive due to the only usage (access key 1) being before no_activity_since and user being created before created_after >>> user_is_inactive({ … ‘user_creation_time’: ‘2016-01-10’, … ‘access_key_1_active’: ‘true’, … ‘access_key_1_last_used_date’: ‘2016-06-01’, … ‘access_key_2_active’: ‘false’, … ‘access_key_2_last_used_date’: ‘N/A’, … ‘password_enabled’: ‘false’, … ‘password_last_used’: ‘N/A’, … }, no_activity_since, created_after) True

User considered inactive due to the only usage (password) being before no_activity_since and user being created before created_after >>> user_is_inactive({ … ‘user_creation_time’: ‘2016-01-10’, … ‘access_key_1_active’: ‘false’, … ‘access_key_1_last_used_date’: ‘N/A’, … ‘access_key_2_active’: ‘false’, … ‘access_key_2_last_used_date’: ‘N/A’, … ‘password_enabled’: ‘true’, … ‘password_last_used’: ‘2016-06-01’, … }, no_activity_since, created_after) True

aws.iam.helpers.is_credential_active(credential_active, credential_last_used)

aws.iam.helpers.is_access_key_expired(iam_access_key, access_key_expiration_date)

Compares the CreateDate of the access key with the datetime object passed in as access_key_expiration_date and returns True if the CreateDate is before the access_key_expiration_date datetime object.

Returns False if the Status of the key is not Active, as though it may have expired, it cannot be used.

>>> from datetime import datetime
>>> access_key_expiration_date = datetime(2018, 1, 8)

>>> is_access_key_expired({'Status': 'Inactive'}, access_key_expiration_date)
False
>>> is_access_key_expired({'Status': 'Active', 'CreateDate': datetime(2018, 1, 9)}, access_key_expiration_date)
False
>>> is_access_key_expired({'Status': 'Active', 'CreateDate': datetime(2020, 1, 9)}, access_key_expiration_date)
False

>>> is_access_key_expired({'Status': 'Active', 'CreateDate': datetime(2018, 1, 7)}, access_key_expiration_date)
True
>>> is_access_key_expired({'Status': 'Active', 'CreateDate': datetime(2000, 1, 9)}, access_key_expiration_date)
True

aws.iam.helpers.get_iam_user_name(login)

aws.iam.helpers.get_iam_resource_id(resource)

aws.iam.resources module

aws.iam.resources.iam_users()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_users

aws.iam.resources.iam_admin_users()

aws.iam.resources.iam_inline_policies(username)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_user_policies

aws.iam.resources.iam_managed_policies(username)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_attached_user_policies

aws.iam.resources.iam_user_groups(username)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_groups_for_user

aws.iam.resources.iam_user_group_inline_policies(username)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_group_policies

aws.iam.resources.iam_user_group_managed_policies(username)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_attached_group_policies

aws.iam.resources.iam_all_user_policies(username)

Gets all policies that can be attached to a user. This includes:

• Inline policies on the user

• Managed policies on the user

• Inline policies on the group that the user is in

• Managed policies on the group that the user is in

Inline policy API calls just return the name of the policy, so we create a single key dictionary to allow for standard access to the policy name ({‘PolicyName’: policy_name})

aws.iam.resources.iam_users_with_policies()

aws.iam.resources.iam_users_with_policies_and_groups()

Users with their associated Policies and Groups

aws.iam.resources.iam_admin_login_profiles()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile

aws.iam.resources.iam_admin_mfa_devices()

https://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices

aws.iam.resources.iam_user_login_profiles()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile

aws.iam.resources.iam_user_mfa_devices()

https://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices

aws.iam.resources.iam_login_profiles(users)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_login_profile

aws.iam.resources.iam_mfa_devices(users)

https://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_mfa_devices

aws.iam.resources.iam_roles()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_roles

aws.iam.resources.iam_all_role_policies(rolename)

aws.iam.resources.iam_roles_with_policies()

aws.iam.resources.iam_role_inline_policies(rolename)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_role_policies

aws.iam.resources.iam_role_managed_policies(rolename)

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_attached_role_policies

aws.iam.resources.iam_admin_roles()

aws.iam.resources.iam_access_keys_for_user(username)

https://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.list_access_keys

aws.iam.resources.iam_get_all_access_keys()

aws.iam.resources.iam_generate_credential_report()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.generate_credential_report

aws.iam.resources.iam_get_credential_report()

http://botocore.readthedocs.io/en/latest/reference/services/iam.html#IAM.Client.get_credential_report

aws.iam.resources.iam_admin_users_with_credential_report()

Returns all “admin” users with an additional “CredentialReport” key, which is a dict containing their row in the Credentials Report.

aws.iam.resources.user_is_admin(user)

aws.iam.resources.get_all_users_that_can_access_aws_account()

Returns users with console or API access to an AWS account.

aws.iam.test_iam_access_key_is_old module

aws.iam.test_iam_admin_user_with_access_keys module

aws.iam.test_iam_admin_user_without_mfa module

aws.iam.test_iam_cross_account_admin_roles_require_mfa module

aws.iam.test_iam_user_is_inactive module

aws.iam.test_iam_user_without_mfa module

Module contents