AWS Access Report
| What will I learn? | In this tutorial we will generate a simple access report that shows current access controls present in a specific AWS account, broken down by type. |
| Difficulty |
What you'll need
Software & Services
- Docker version 16.14 or above
- An AWS User or Role with read-only permissions to list the resources AWS IAM read-only
- An active AWSH from AWSH Intro with some AWS credentials loaded
Permissions & Access
AWS provide an existing ReadOnlyAccess IAM Policy that covers all of the permissions needed for this tutorial. You can simply attach this AWS provided IAM Policy to your existing IAM User, Group or Role
Tutorial
In each of the examples below we will take advantage of several of the environment variables that are loaded and set when we activate a set of credentials in AWSH
env | grep ^AWS_
AWS_ACCOUNT_ALIAS=dummy-account
AWS_DEFAULT_REGION=eu-central-1
AWS_SESSION_EXPIRATION=2022-11-28 16:05:01
AWS_SECRET_ACCESS_KEY=f3hfuss77fffdUToVx+T1iFNV+6tLgL3dUhCJY6jhPccRQW
AWS_ID_NAME=dummy-account/[email protected]
AWS_ACCOUNT_NUMBER=011111221051
AWS_ACCESS_KEY_ID=ASIAQO7RUGABCDEFYXLOK
AWS_TOKEN_EXPIRY=1669651501
We will use these environment variables to generate useful report names
This tutorial also makes use of one of the built-in commands available in AWSH awsh report-access which allows us to generate our output report in multiple formats. To find out more about all of the helper commands and utilities available in AWSH check out the full documentation here.
The report will generate file within the current directory or in the specified directory for any of the specified formats.
Simple Format Report
Create a simple text access report
AWSH❯awsh report-accessTake a we have a lot of API calls to make, it will take a few moments to complete.
Here is a sample output generated from the access report (simple)
AWS Access Report: Account 1234567890123
================================================================================
AWS Account : 1234567890123
AWS Account Alias : aws-hestio-test
Created from AWS Region : eu-west-1
Created By : XXXX
Created Date : Fri Feb 17 13:56:29 UTC 2023
AWS CREDENTIALS
user arn user_creation_time password_enabled password_last_used password_last_changed mfa_active access_key_1_last_used_date
----------------- ------------------------------------------------ ------------------------- ------------------ ------------------------- ----------------------- ------------ -----------------------------
<root_account> arn:aws:iam::1234567890123:root 2021-09-27T08:42:30+00:00 not_supported 2023-01-04T08:27:40+00:00 not_supported true N/A
luk-awsh-tutorial arn:aws:iam::1234567890123:user/luk-awsh-tutorial 2022-06-01T11:52:44+00:00 false N/A N/A true 2023-02-17T11:43:00+00:00
IAM ACCOUNT PASSWORD POLICY
None found
IAM ACCOUNT SUMMARY
Policies InstanceProfiles Users Providers AccountMFAEnabled GlobalEndpointTokenVersion Groups AccountSigningCertificatesPresent MFADevices PolicyVersionsInUse ServerCertificates Roles MFADevicesInUse AccountAccessKeysPresent
---------- ------------------ ------- ----------- ------------------- ---------------------------- -------- ----------------------------------- ------------ --------------------- -------------------- ------- ----------------- --------------------------
21 8 2 1 1 1 6 0 6 49 1 46 5 0
Markdown Format Report
Get the data from the AWS API
AWSH❯awsh report-access -f pipeTake a we have a lot of API calls to make, it will take a few moments to complete.
The Markdown format report is plain text but can be converted into many other common formats (HTML, PDF, MS Word, etc). One of our favourite online converters is https://dillinger.io/ or the extensions available for Microsoft VS Code
HTML Format Report
The generated HTML automatically includes the Bootstrap framework and can be styled using any compatible CSS
Get the data from the AWS API
AWSH❯awsh report-access -f html -d .Take a we have a lot of API calls to make, it will take a few moments to complete.
Now that you've had a look around why not check out the full documentation here.
At Hestio, we have taken our experience with designing and building on cloud to codify these patterns and made them available as a low-code pattern library for AWS. Why spend time and effort on reinventing the wheel when it's already a solved problem? Would you start developing office productivity software in a world where Microsoft Office already exists?
If you'd like to find out about worX, our low-code patterns library for AWS you can read more here or get in touch today to schedule a demo.
If you'd like to find out more about the products and services Hestio has to offer, select one of the options below.
