Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: eaf3fd67b0
Branches Tags
xdr-terraform-m...
/
base
/
account_standards
/
files
/
user_policies_check.py

user_policies_check.py 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. import os
    2. 

  2. import boto3
    3. 

  3. 

  4. iam = boto3.client('iam')
    5. 

  5. 

  6. 

  7. def answer_no(x): return True if str(x).lower() in [
    8. 

  8.     '0', 'no', 'false'] else False
    9. 

  9. 

  10. 

  11. def answer_yes(x): return True if str(x).lower() in [
    12. 

  12.     '1', 'yes', 'true'] else False
    13. 

  13. 

  14. 

  15. def send_notifications(message):
    16. 

  16.     # TO DO
    17. 

  17.     return True
    18. 

  18. 

  19. 

  20. def detach_policies(users):
    21. 

  21.     message_body = 'AGGRESSIVE is set to ' + os.environ['AGGRESSIVE'] \
    22. 

  22.         if ('AGGRESSIVE' in os.environ and answer_yes(os.environ['AGGRESSIVE'])) \
    23. 

  23.         else 'AGGRESSIVE mode is not active'
    24. 

  24.     print message_body
    25. 

  25. 

  26.     for user, policies in users.iteritems():
    27. 

  27.         notification = 'Processing ' + user
    28. 

  28.         print notification
    29. 

  29.         message_body += notification + "\n"
    30. 

  30.         for policy in policies:
    31. 

  31.             notification = policy['PolicyName'] + \
    32. 

  32.                 ' will be detached from the user'
    33. 

  33.             print notification
    34. 

  34.             message_body += notification + "\n"
    35. 

  35.             if ('DRY_RUN' not in os.environ or answer_no(os.environ['DRY_RUN'])) \
    36. 

  36.                     and ('AGGRESSIVE' in os.environ and answer_yes(os.environ['AGGRESSIVE'])):
    37. 

  37.                 iam.detach_user_policy(
    38. 

  38.                     UserName=user, PolicyArn=policy['PolicyArn'])
    39. 

  39.             else:
    40. 

  40.                 notification = 'AGREESIVE is not active or DRY_RUN is enabled, so the policy is not removed'
    41. 

  41.                 print notification
    42. 

  42.                 message_body += notification + "\n"
    43. 

  43. 

  44.     if len(users) > 0 and ('DRY_RUN' not in os.environ or answer_no(os.environ['DRY_RUN'])):
    45. 

  45.         send_notifications(message_body)
    46. 

  46.     else:
    47. 

  47.         print 'DRY_RUN is active and/or nothing to do'
    48. 

  48. 

  49. 

  50. def lambda_handler(event, context):
    51. 

  51.     users = iam.list_users()
    52. 

  52.     user_policies = {}
    53. 

  53. 

  54.     for user in users['Users']:
    55. 

  55.         attached_policy_list = iam.list_attached_user_policies(
    56. 

  56.             UserName=user['UserName'])
    57. 

  57.         user_policy_list = iam.list_user_policies(UserName=user['UserName'])
    58. 

  58. 

  59.         if len(attached_policy_list['AttachedPolicies']) > 0 \
    60. 

  60.                 or len(user_policy_list['PolicyNames']) > 0:
    61. 

  61. 

  62.             user_policies[user['UserName']] = attached_policy_list['AttachedPolicies'] + \
    63. 

  63.                 user_policy_list['PolicyNames']
    64. 

  64.     detach_policies(user_policies)
    65. 

  65. 

  66. 

  67. # if __name__ == "__main__":
    68. 

  68. #    event = 1
    69. 

  69. #    context = 1
    70. 

  70. #    lambda_handler(event, context)
    71.