AWS grants access to its services based on the policies assigned to the users. There are identity-based policies (such as for users) and resource based policies (such as s3 bucket policies)

The effective permission for a user is computed based on:

  • In-line and directly attached policies to the user.
  • The policies of the Groups the user belongs to.
  • Permission boundary policy attached to the user.
  • Service control policy (SCP) attached to the account (or Organizational Unit, OU) if the user AWS account is part of an AWS organization.
  • The Resource control policies (RCP) attached to the Organization Unit.
  • The policies attached directly to resources (such as S3 bucket policies).

Here is a program (API link below) that computes the effective user policy based on above criteria. The output is a json response.

Please note below important point:

  • “Conditions” in policies are not included.
  • Session policies are not included in evaluation.

End point to send request: https://api.ramana.tech/aws/user-effective-permissions


Http method: POST
Content-type: application/json
A sample json request input:

{
"queryUser":"test_user", //For whom you want effective policy
"region":"us-east-1",
"accessId":"aaaaaaaaaaaa",
"secretKey":"bbbbbbbbbbbbbbb"
}

In the above sample request body, the accessId and secretKey are for a user (the ‘privileged user’) who has required policy attached. Sample policy given below. (It is not for the ‘queryUser’).

  • Attach policy with required permissions, to the ‘privileged user’ (A sample policy given below).
  • In addition to above policy (attached to the privileged user), if your AWS account is member of an organization:
    • Your org admin (management account) should attach a policy under ‘Delegated Administrator’ section of “Organizations (AWS console page)” -> Settings. The ‘Delegated policy’. Sample given below.

Also note:

    • The credentials mentioned in your API request are not stored/logged anywhere.
    • It can take several minutes to compute the response depending on number of policies.

Let me know your comments!!!!

In below sample, replace aws_account_id with your id. This grants readonly access to the 'privileged user'.

 

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPermissions",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListGroupPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListUserPolicies",
"iam:GetGroupPolicy",
"iam:GetUser",
"iam:ListGroups",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"s3:GetBucketPolicy",
"s3:ListAllMyBuckets",
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:group/*",
"arn:aws:iam::AWS_ACCOUNT_ID:user/*",
"arn:aws:iam::AWS_ACCOUNT_ID:policy/*",
"arn:aws:iam::aws:policy/*",
"arn:aws:s3:::*",
"arn:aws:sqs:REGION:AWS_ACCOUNT_ID:*"
] },
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetPolicy"
],
"Resource": [
"*"
] },
{
"Sid": "OrgPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribePolicy",
"organizations:ListPoliciesForTarget",
"organizations:ListParents"
],
"Resource": [
"*"
] }
] }

 

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Statement”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam:::root”
},
“Action”: [
“organizations:List*”,
“organizations:Describe*”
],
“Resource”: “*”
}
] }

Leave A Comment