How can we fetch IAM users, their groups and policies?
Here, I am using boto commands to do four operations -
- List all the users
- List policy attached to each user
- List roles added to each user
- List Mfa devices to see if MFA has been configured by User or not (Here I am not checking is MFA is not enabled, but checking if the device has been configured by a user or not.)
Get IAM connection to AWS Account
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
Getting IAM Users This will print all the usernames. you can customize if you want to print other details as well.
users = client.list_users()
for key in users['Users']:
print key['UserName']
Getting List of Policy attached to each user
for key in users['Users']:
List_of_Policies = client.list_user_policies(UserName=key['UserName'])
for key in List_of_Policies['PolicyNames']:
print key['PolicyName']
Getting List of Groups attached to each user
for key in users['Users']:
List_of_Groups = client.list_groups_for_user(UserName=key['UserName'])
for key in List_of_Groups['Groups']:
print key['GroupName']
Checking if MFA Device is configured or not
for key in users['Users']:
List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
for key in List_of_MFA_Devices['MFADevices']:
print key
You can further check if List_of_MFA_Devices['MFADevices'] is empty or not. If empty, then MFA Device is not configured.
If you want to add output as List of Dict where each index will contain dict have value pairs for userName, Groups, Policy, isMFA_flag_configured or not. Use the following code -
import boto3
client = boto3.client('iam',aws_access_key_id="XXXX",aws_secret_access_key="YYY")
users = client.list_users()
user_list = []
for key in users['Users']:
result = {}
Policies = []
Groups=[]
result['userName']=key['UserName']
List_of_Policies = client.list_user_policies(UserName=key['UserName'])
result['Policies'] = List_of_Policies['PolicyNames']
List_of_Groups = client.list_groups_for_user(UserName=key['UserName'])
for Group in List_of_Groups['Groups']:
Groups.append(Group['GroupName'])
result['Groups'] = Groups
List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
if not len(List_of_MFA_Devices['MFADevices']):
result['isMFADeviceConfigured']=False
else:
result['isMFADeviceConfigured']=True
user_list.append(result)
for key in user_list:
print key
Output for the above code -
{'userName': 'user1', 'Groups': ['grp1','grp2'], 'Policies':['policy1','policy2], 'isMFADeviceConfigured': False/True}
{'userName': 'user2', 'Groups': ['grp1','grp2'], 'Policies': ['policy1','policy2], 'isMFADeviceConfigured': False/True}
batman
Updated on July 02, 2022Comments
-
batman almost 2 years
I need to fetch all the aws user's, their corresponding groups, policies and then if mfa is activated for them or not. Can anyone tell me how it can be done via aws cli or boto.
I have a script that fetches out just the all user's in aws.
import boto3 from boto3 import * import argparse access_key = '' secret_key = '' def get_iam_uses_list(): client = boto3.client('iam', aws_access_key_id=access_key, aws_secret_access_key=secret_key) my_list=list() iam_all_users = client.list_users(MaxItems=200) for user in iam_all_users['Users']: my_list.append(user['UserName']) # for i in my_list: print i # print "read complete" # # for i in my_list: # iam_user_policy=client.list_attached_user_policies(UserName=i) # for policy in iam_user_policy['AttachedPolicies']: # print "%s \t %s" %(i, policy['PolicyName']) def main(): parser = argparse.ArgumentParser() parser.add_argument('access_key', help='Access Key'); parser.add_argument('secret_key', help='Secret Key'); args = parser.parse_args() global access_key global secret_key access_key = args.access_key secret_key = args.secret_key get_iam_uses_list() if __name__ =='__main__':main()