Using AWS API: Given IAM User, Get Current Effective IAM Policy Document

Question

I'm having a hard time finding the correct API call to answer this question: given an IAM User, what is the effective IAM Policy document governing that user?

It looks like I can accomplish the above using a combination of several API calls and concatenating the policies in the client:

1. aws iam list-groups-for-user --user-name my-user
2. for each returned group: aws iam list-attached-group-policies --group-name my-group
3. aws iam list-attached-user-policies --user-name my-user
4. Concatenate policies returned from steps 2. and 3.
5. for each policy: aws iam get-policy --policy-arn my-policy-arn
6. and again for each policy: aws iam get-policy-version --policy-arn my-policy-arn -version-id my-version

This is at fewest 5 API calls and at most an unbounded number of calls. I'm hesitant to even write this logic because it is common for a user to belong to several groups and for those groups to contain tens or hundreds of policies.

Surely there is a single API endpoint somewhere that I am missing?

Something like this: aws iam get-effective-user-policy --user-name my-user

Answer 1

This isn't really supported in AWS, as the actions an IAM principal can perform are distributed across AWS; they're not stored in any one place. Access decisions are applied when requests are made, and so you should think of IAM policies in terms of a request being made.

When AWS APIs receive a request, this is what kicks in at a high level to determine whether the call is authorised:

• Identity-based policies (policies attached to the user, their groups or their role)
• Resource-based policies (policies attached to the resource the user is requesting; e.g. an S3 bucket or EC2 instance)
• IAM permissions boundaries
• Service Control Policies (SCPs) (defined via AWS Organisations)
• Session policies (which apply when a session is created via temporary credentials and AssumeRole)

Each of the above needs to Allow the action for the user to be granted access.

So, you see, the actual access that is granted is spread across quite a few places. That list above is only for a single account, too. Cross-account access is even more distributed.

If you're only interested in identity-based policies, then the API calls you're making are covering it, however any of the others could have Deny effects which prevent the action, even if identity-based policies allow the action, so you'd only be getting a partial picture.

Depending on what you're using this for I'd try not to get a complete picture of a user's access ahead of time, as you are essentially going to be querying every single AWS service for every user. The exception to this is security auditing, in which case there are a slew of tools that will try to do this for you, but be warned: IAM is a complex beast and auditing it is a tricky problem.

Answer 2

If you are only interested in permissions for certain AWS services, you might also consider using the command below. However, I don't think you're going to find a "one stop shop" to get all the permissions in one API call.

aws iam list-policies-granting-service-access.