I have 3 loops that I use to determine the permission level of AWS user accounts.
This array lists the AWS policy Effect:
Code:
for ((policy_index=0;policy_index<${#aws_managed_policies[@]};++policy_index)); do
aws_policy_arn="${aws_managed_policies[policy_index]}"
aws_policy_version_id=$(aws iam get-policy --policy-arn "$aws_policy_arn" --profile="$aws_key" | jq -r '.Policy.DefaultVersionId')
readarray -t aws_policy_effects < <( if aws iam get-policy-version --policy-arn "$aws_policy_arn" --version-id "$aws_policy_version_id" --profile="$aws_key" 2> /dev/null | jq -r '.PolicyVersion.Document.Statement[].Effect' 2> /dev/null
then
true
else
aws iam get-policy-version --policy-arn "$aws_policy_arn" --version-id "$aws_policy_version_id" --profile="$aws_key" 2> /dev/null | jq -r '.PolicyVersion.Document.Statement.Effect' 2> /dev/null
fi )
done
I get the effect of the policy with this loop (Allow/Deny):
Code:
for ((effect_index=0;effect_index<${#aws_policy_effects[@]};++effect_index)); do
policy_effect="${aws_policy_effects[effect_index]}"
if [[ "$policy_effect" = "Allow" ]]; then
aws_policy_effects[effect_index]='ALLOW'
unset aws_policy_effects
elif [[ "$policy_effect" = "Deny" ]]; then
aws_policy_effects[effect_index]='DENY'
fi
done
And I get the list of services that the user has permission to with this loop:
Code:
readarray -t aws_policy_actions < <(aws iam get-policy-version --policy-arn "$aws_policy_arn" --version-id "$aws_policy_version_id" --profile="$aws_key" 2> /dev/null | jq -r '.PolicyVersion.Document.Statement[].Action' 2> /dev/null | grep '*')
if [[ "$aws_policy_effect" = "Allow" ]]; then
for ((action_index=0;action_index<${#aws_policy_actions[@]};++action_index)); do
policy_action="${aws_policy_actions[action_index]}"
if [[ "$policy_action" = "^*$" ]]; then
admin_access="YES"
elif [[ -n "$policy_action" ]]; then
policy_action=$(echo "$policy_action" | cut -d: -f1)
admin_access="YES"
aws_admin_services+=("$policy_action")
else
admin_access="NO"
fi
done # action loop
fi
I want the 3 loops to correspond.
I need the Policy Effect, set admin_access variable to YES or NO, and then build a list of services they have access to, and add them to the list of services in aws_admin_services.
How can I best achieve this? Do I need to embed the 3 loops within one another in order to have everything correspond?