AWS Access Report

In a Nutshell

What will I learn?	In this tutorial we will generate a simple access report that shows current access controls present in a specific AWS account, broken down by type.
Difficulty

What you'll need

Software & Services

• Docker version 16.14 or above
• An AWS User or Role with read-only permissions to list the resources AWS IAM read-only
• An active AWSH from AWSH Intro with some AWS credentials loaded

Permissions & Access

AWS provide an existing ReadOnlyAccess IAM Policy that covers all of the permissions needed for this tutorial. You can simply attach this AWS provided IAM Policy to your existing IAM User, Group or Role

Screenshot: Attach Existing IAM Policy

Tutorial

In each of the examples below we will take advantage of several of the environment variables that are loaded and set when we activate a set of credentials in AWSH

AWSH❯

env | grep ^AWS_
AWS_ACCOUNT_ALIAS=dummy-account
AWS_DEFAULT_REGION=eu-central-1
AWS_SESSION_EXPIRATION=2022-11-28 16:05:01
AWS_SECRET_ACCESS_KEY=f3hfuss77fffdUToVx+T1iFNV+6tLgL3dUhCJY6jhPccRQW
AWS_ID_NAME=dummy-account/[email protected]
AWS_ACCOUNT_NUMBER=011111221051
AWS_ACCESS_KEY_ID=ASIAQO7RUGABCDEFYXLOK
AWS_TOKEN_EXPIRY=1669651501

We will use these environment variables to generate useful report names

This tutorial also makes use of one of the built-in commands available in AWSH awsh report-access which allows us to generate our output report in multiple formats. To find out more about all of the helper commands and utilities available in AWSH check out the full documentation here.

The report will generate file within the current directory or in the specified directory for any of the specified formats.

Simple Format Report

• Create a simple text access report

  AWSH❯

  awsh report-access

  Take a we have a lot of API calls to make, it will take a few moments to complete.

• Here is a sample output generated from the access report (simple)

  AWS Access Report: Account 1234567890123
  ================================================================================
  
  AWS Account              : 1234567890123
  AWS Account Alias        : aws-hestio-test
  Created from AWS Region  : eu-west-1
  Created By               : XXXX
  Created Date             : Fri Feb 17 13:56:29 UTC 2023
  
  AWS CREDENTIALS
  
  user               arn                                               user_creation_time         password_enabled    password_last_used         password_last_changed    mfa_active    access_key_1_last_used_date
  -----------------  ------------------------------------------------  -------------------------  ------------------  -------------------------  -----------------------  ------------  -----------------------------
  <root_account>     arn:aws:iam::1234567890123:root                    2021-09-27T08:42:30+00:00  not_supported       2023-01-04T08:27:40+00:00  not_supported            true          N/A
  luk-awsh-tutorial  arn:aws:iam::1234567890123:user/luk-awsh-tutorial  2022-06-01T11:52:44+00:00  false               N/A                        N/A                      true          2023-02-17T11:43:00+00:00
  
  IAM ACCOUNT PASSWORD POLICY
  
  None found
  
  IAM ACCOUNT SUMMARY
  
  Policies    InstanceProfiles    Users    Providers    AccountMFAEnabled    GlobalEndpointTokenVersion    Groups    AccountSigningCertificatesPresent    MFADevices    PolicyVersionsInUse    ServerCertificates    Roles    MFADevicesInUse    AccountAccessKeysPresent
  ----------  ------------------  -------  -----------  -------------------  ----------------------------  --------  -----------------------------------  ------------  ---------------------  --------------------  -------  -----------------  --------------------------
          21                   8        2            1                    1                             1         6                                    0             6                     49                     1       46                  5                           0

Markdown Format Report

• Get the data from the AWS API

  AWSH❯

  awsh report-access -f pipe

  Take a we have a lot of API calls to make, it will take a few moments to complete.

• The Markdown format report is plain text but can be converted into many other common formats (HTML, PDF, MS Word, etc). One of our favourite online converters is https://dillinger.io/ or the extensions available for Microsoft VS Code

Screenshot: Rendered Markdown Report

HTML Format Report

Styling your HTML

The generated HTML automatically includes the Bootstrap framework and can be styled using any compatible CSS

• Get the data from the AWS API

  AWSH❯

  awsh report-access -f html -d .

  Take a we have a lot of API calls to make, it will take a few moments to complete.

Now that you've had a look around why not check out the full documentation here.

Open Source

Did you know that both AWSH and BLOX are completely Open Source? That's right - the software is available free of charge, and we make some of our revenue by helping others install, use, and troubleshoot it. Take copy for yourself!

AWSH: Containerized tools with lightweight access to AWS CLI and APIs in mind.

BLOX: Containerized tools for engineering teams who need to work with AWS and IAC every day.