AWS Security Blog
A Simple Way to Export Your IAM Settings
Do you analyze, audit, or monitor your AWS Identity and Access Management (IAM) settings? If so, you will be happy to hear we’ve simplified the way you can retrieve a snapshot of your IAM settings. Today we’re making it easier for you to build tools to analyze, monitor, and audit your IAM entities (i.e., users, groups, and roles) by introducing a new API called GetAccountAuthorizationDetails.
With the GetAccountAuthorizationDetails API you can get a snapshot of your IAM entities with a single API call. Previously you had to use a combination of multiple API calls, some of which had to be called multiple times. With your IAM settings in one place you could use the output to monitor your intended IAM settings, store snapshots to understand differences in your IAM settings between points in time, and show IAM settings for auditing purposes.
The API returns details about all the users, groups, and roles in your account. Based on the entity type, it returns the following information:
- Users: User Name, User ID, User ARN, Path, Creation Date, associated groups, and the attached access control policies
- Groups: Group Name, Group ID, Group ARN, Path, Creation Date, and the attached access control policies
- Roles: Role Name, Role ID, ARN, Path, Creation Date, associated instance profiles, role trust policies, and the attached access control policies
By default, the GetAccountAuthorizationDetails API returns details for entities that can have a policy attached. You can filter the results based on the entity type. For example, if you specify {“user”, “group”}, then only details for [users and groups] are returned.
Let’s look at how this API works by walking through an example using the AWS command line.
First, you must use an IAM user that has permission to call this API. Before you grant access to this API, it is important to know that:
- It is a powerful API that enables viewing details about all the IAM users, groups, and roles in your account.
- The permissions required to call GetAccountAuthorizationDetails are independent of the permissions required to call ListUsers, GetUser, and ListUserPolicies. For example, even if a user was denied access to call ListUsers, GetUser, and ListUserPolicies they could still be granted access to call GetAccountAuthorizationDetails.
Second, you will need to set your command line credentials to an IAM user that has access to call GetAccountAuthorizationDetails. You can do this by running the commands below. In the command below don’t forget to replace the access keys with your user’s.
Linux, OS X, Unix
$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Windows:
> set AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
> set AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
You can use the following command to retrieve the details about your IAM entities and then save them to a JSON file (the default output format).
aws iam get-account-authorization-details > output.json
If you open output.json, you will see the details for your account. You can see an example of the output below.
Note: The policy documents were removed from this example to make it easier to read, but the actual output will include them. To see an example that includes the policy documents, visit the API reference documentation or AWS CLI reference documentation.
1. {
2. "RoleDetailList": [
3. {
4. "AssumeRolePolicyDocument": {
5. "Version": "2012-10-17",
6. "Statement": [
7. {
8. "Action": "sts:AssumeRole",
9. "Principal": {
10. "AWS": "arn:aws:iam::111111111111:root"
11. },
12. "Effect": "Allow",
13. "Sid": ""
14. }
15. ]
16. },
17. "RoleId": "EXAMPLEROLEIDXXXXXXXX",
18. "CreateDate": "2014-10-01T04:56:44Z",
19. "InstanceProfileList": [],
20. "RoleName": "S3BucketAccess",
21. "Path": "/",
22. "RolePolicyList": [
23. {
24. "PolicyName": "S3BucketAccessPolicy",
25. "PolicyDocument": {"PolicyText"}
26. }
27. ],
28. "Arn": "arn:aws:iam::111111111111:role/S3BucketAccess"
29. }
30. ],
31. "UserDetailList": [
32. {
33. "UserName": "bob",
34. "GroupList": [
35. "DevGroup"
36. ],
37. "CreateDate": "2014-12-05T00:15:38Z",
38. "UserId": "EXAMPLEUSERIDXXXXXXXX",
39. "UserPolicyList": [
40. {
41. "PolicyName": "EC2StartPolicy",
42. "PolicyDocument": {"PolicyText"}
43. },
44. {
45. "PolicyName": "S3ReadOnlyPolicy",
46. "PolicyDocument": {"PolicyText"}
47. }
48. ],
49. "Path": "/",
50. "Arn": "arn:aws:iam::111111111111:user/bob"
51. }
52. ],
53. "GroupDetailList": [
54. {
55. "GroupPolicyList": [
56. {
57. "PolicyName": "EC2StopPolicy",
58. "PolicyDocument": {"PolicyText"}
59. },
60. {
61. "PolicyName": "S3WritePolicy",
62. "PolicyDocument": {"PolicyText"}
63. }
64. ],
65. "CreateDate": "2014-12-05T00:17:33Z",
66. "GroupName": "DevGroup",
67. "Path": "/",
68. "GroupId": "EXAMPLEGROUPIDXXXXXXX",
69. "Arn": "arn:aws:iam::111111111111:group/DevGroup"
70. }
71. ],
72. "IsTruncated": false
73. }
Let’s understand what this output is telling us.
We’ll start with the role details section (line 2-30). The output contains one role called S3BucketAccess (line 20). This role has one policy attached to it which is also called S3BucketAccessPolicy.
Next, we look at the the user details (lines 31-52). From the output we can tell that this account has one user, bob (line 33). Bob has two policies attached to him: the EC2StartPolicy (line 41) and the S3ReadPolicy (line 45). We also see that bob belongs to the DevGroup (line 35).
We finish with the group details (lines 53-71). We see that this account has one DevGroup with two policies, EC2StopPolicy (line 57) and S3WritePolicy (line 61) .
If you would like to learn more please visit our API documentation. If you have questions or suggestions, please use the AWS IAM forum.
–Brigid
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.