Skip to content

Instantly share code, notes, and snippets.

@heskyji

heskyji/find_iam_user.py

Forked from OnlyInAmerica/find_iam_user.py
Last active August 29, 2015 14:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save heskyji/3120f917055cc00dfb2a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save heskyji/3120f917055cc00dfb2a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. heskyji revised this gist Jul 30, 2015. 1 changed file with 29 additions and 19 deletions.
    48 changes: 29 additions & 19 deletions find_iam_user.py
    View file
    Original file line number Diff line number Diff line change
    @@ -1,30 +1,40 @@
    #!/usr/bin/env python
    # Find the IAM username belonging to the TARGET_ACCESS_KEY
    # Useful for finding IAM user corresponding to a compromised AWS credential

    # Requirements:
    #
    # Environmental variables:
    # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
    # python:
    # boto
    # Environmental variables:
    # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
    # python:
    # boto

    import argparse
    import sys
    import boto.iam

    TARGET_ACCESS_KEY = 'TARGET_KEY'

    iam = boto.connect_iam()
    def parse_args(argv=None):
    p = argparse.ArgumentParser()
    p.add_argument('key', help='Key to search')
    args = p.parse_args(argv)
    return args.key

    users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']

    def find_key():
    for user in users:
    for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
    aws_access_key = key_result['access_key_id']
    if aws_access_key == TARGET_ACCESS_KEY:
    print 'Target key belongs to:'
    print 'user : ' + user['user_name']
    return True
    return False
    def main(argv=None):
    key = parse_args(argv)
    iam = boto.connect_iam()
    users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']

    if not find_key():
    print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
    for user in users:
    for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
    aws_access_key = key_result['access_key_id']
    if aws_access_key == key:
    print('Key "%s" belongs to user: %s' % (key, user['user_name']))
    return 0
    else:
    print('Did not find access key "%s" in %d IAM users' % (key, len(users)))
    return 1


    if __name__ == '__main__':
    sys.exit(main())
  2. @OnlyInAmerica OnlyInAmerica created this gist Apr 3, 2014.
    30 changes: 30 additions & 0 deletions find_iam_user.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,30 @@
    # Find the IAM username belonging to the TARGET_ACCESS_KEY
    # Useful for finding IAM user corresponding to a compromised AWS credential

    # Requirements:
    #
    # Environmental variables:
    # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
    # python:
    # boto

    import boto.iam

    TARGET_ACCESS_KEY = 'TARGET_KEY'

    iam = boto.connect_iam()

    users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']

    def find_key():
    for user in users:
    for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
    aws_access_key = key_result['access_key_id']
    if aws_access_key == TARGET_ACCESS_KEY:
    print 'Target key belongs to:'
    print 'user : ' + user['user_name']
    return True
    return False

    if not find_key():
    print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'