Using AWS API: Given IAM User, Get Current Effective IAM Policy Document

Question

I'm having a hard time finding the correct API call to answer this question: given an IAM User, what is the effective IAM Policy document governing that user?

It looks like I can accomplish the above using a combination of several API calls and concatenating the policies in the client:

1. aws iam list-groups-for-user --user-name my-user
2. for each returned group: aws iam list-attached-group-policies --group-name my-group
3. aws iam list-attached-user-policies --user-name my-user
4. Concatenate policies returned from steps 2. and 3.
5. for each policy: aws iam get-policy --policy-arn my-policy-arn
6. and again for each policy: aws iam get-policy-version --policy-arn my-policy-arn -version-id my-version

This is at fewest 5 API calls and at most an unbounded number of calls. I'm hesitant to even write this logic because it is common for a user to belong to several groups and for those groups to contain tens or hundreds of policies.

Surely there is a single API endpoint somewhere that I am missing?

Something like this: aws iam get-effective-user-policy --user-name my-user

Answer 1

This isn't really supported in AWS, as the actions an IAM principal can perform are distributed across AWS; they're not stored in any one place. Access decisions are applied when requests are made, and so you should think of IAM policies in terms of a request being made.

When AWS APIs receive a request, this is what kicks in at a high level to determine whether the call is authorised:

• Identity-based policies (policies attached to the user, their groups or their role)
• Resource-based policies (policies attached to the resource the user is requesting; e.g. an S3 bucket or EC2 instance)
• IAM permissions boundaries
• Service Control Policies (SCPs) (defined via AWS Organisations)
• Session policies (which apply when a session is created via temporary credentials and AssumeRole)

Each of the above needs to Allow the action for the user to be granted access.

So, you see, the actual access that is granted is spread across quite a few places. That list above is only for a single account, too. Cross-account access is even more distributed.

If you're only interested in identity-based policies, then the API calls you're making are covering it, however any of the others could have Deny effects which prevent the action, even if identity-based policies allow the action, so you'd only be getting a partial picture.

Depending on what you're using this for I'd try not to get a complete picture of a user's access ahead of time, as you are essentially going to be querying every single AWS service for every user. The exception to this is security auditing, in which case there are a slew of tools that will try to do this for you, but be warned: IAM is a complex beast and auditing it is a tricky problem.

Answer 2

There doesn't have to be one effective user policy. Actually the policy being applied is the sum of all policies assigned to that IAM user either directly or via groups. It may or may not be one single policy document depending on your actual use case.

Please, remember that if there's a conflict between one rule allowing an action and another rule denying it, the deny rule will win.

You could simulate if a user is able to perform a certain action in the IAM console.

Answer 3

I have not insight into your use case, but out of my experience most of the use cases can be reverted. In order to check whether policies are compliant, check if users have critical permissions, ... Might not be applicable in your case but still i like to share it.

In order to check those things, one could use AWS Config to evaluate if a user has permission to call a certain set of actions. This can be done using the AWS IAM policy simulator API.

https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html

Answer 4

If you are only interested in permissions for certain AWS services, you might also consider using the command below. However, I don't think you're going to find a "one stop shop" to get all the permissions in one API call.

aws iam list-policies-granting-service-access.