我们如何获取IAM用户,他们的群组和政策?

时间:2017-09-06 10:58:37

标签: python amazon-web-services boto amazon-iam

我需要获取所有aws用户,他们相应的组,策略,然后是否为他们激活mfa。谁能告诉我如何通过aws cli或boto完成它。

我有一个脚本,只能取出aws中的所有用户。

  import boto3
    from boto3 import *
    import argparse

    access_key = ''
    secret_key = ''

    def get_iam_uses_list():
    client =  boto3.client('iam',
                aws_access_key_id=access_key,
                aws_secret_access_key=secret_key)
       my_list=list()
       iam_all_users = client.list_users(MaxItems=200)
       for user in iam_all_users['Users']:
        my_list.append(user['UserName'])
#

    for i in my_list:
        print i

#    print "read complete"
#
#    for i in my_list:
#        iam_user_policy=client.list_attached_user_policies(UserName=i)
#        for policy in iam_user_policy['AttachedPolicies']:
#               print "%s \t %s" %(i, policy['PolicyName'])

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('access_key', help='Access Key');
    parser.add_argument('secret_key', help='Secret Key');
    args = parser.parse_args()
    global access_key
    global secret_key
    access_key = args.access_key
    secret_key = args.secret_key
get_iam_uses_list()

if  __name__ =='__main__':main()

1 个答案:

答案 0 :(得分:15)

在这里,我使用boto命令进行四项操作 -

  1. 列出所有用户
  2. 附加到每个用户的列表政策
  3. 列出添加到每个用户的角色
  4. 列出Mfa设备以查看用户是否已配置MFA(此处我未检查是否未启用MFA,但检查设备是否已由用户配置。)

    5. 获取与AWS账户的IAM连接 

    import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")

    获取IAM用户 这将打印所有用户名。您可以自定义是否还要打印其他详细信息。

    users = client.list_users()
for key in users['Users']:
    print key['UserName']

    获取附加到每个用户的政策列表 

    for key in users['Users']:
    List_of_Policies =  client.list_user_policies(UserName=key['UserName'])
    for key in List_of_Policies['PolicyNames']:
        print key['PolicyName']

    获取附加到每个用户的群组列表 

    for key in users['Users']:
    List_of_Groups =  client.list_groups_for_user(UserName=key['UserName'])
       for key in List_of_Groups['Groups']:
           print key['GroupName']

    检查是否配置了MFA设备 

    for key in users['Users']:
    List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
    for key in List_of_MFA_Devices['MFADevices']:
          print key

    您可以进一步检查List_of_MFA_Devices [' MFADevices']是否为空。如果为空,则表示未配置MFA设备。

    如果要将输出添加为Dict列表,其中每个索引将包含dict,其值为userName,Groups,Policy,isMFA_flag_configured。使用以下代码 - 

    import boto3
client = boto3.client('iam',aws_access_key_id="XXXX",aws_secret_access_key="YYY")
users = client.list_users()
user_list = []
for key in users['Users']:
    result = {}
    Policies = []
    Groups=[]

    result['userName']=key['UserName']
    List_of_Policies =  client.list_user_policies(UserName=key['UserName'])

    result['Policies'] = List_of_Policies['PolicyNames']

    List_of_Groups =  client.list_groups_for_user(UserName=key['UserName'])

    for Group in List_of_Groups['Groups']:
        Groups.append(Group['GroupName'])
    result['Groups'] = Groups

    List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])

    if not len(List_of_MFA_Devices['MFADevices']):
        result['isMFADeviceConfigured']=False   
    else:
        result['isMFADeviceConfigured']=True    
    user_list.append(result)

for key in user_list:
    print key

    上述代码的输出 -

      

    {' userName':' user1',' Groups':[' grp1',' grp2'] ,'政策':' policy1',' policy2],' isMFADeviceConfigured':False / True}

         

    {' userName':' user2',' Groups':[' grp1',' grp2'] ,'政策':[' policy1',' policy2],' isMFADeviceConfigured':False / True}

相关问题
最新问题