AWS resource-based policy collector
This library aims to collect resource-based policies from an AWS account.
NOTE: This library does not cover all AWS services which support resource-based policies and has not been rigurously tested! Refer to supported services below.
Install
yarn install aws-resource-based-policy-collector
Usage
Your environment must be configured with valid AWS credentials. See Setting credentials in Node.js. You credentials must be authorised to perform read-only actions within your account.
import { collect } from 'aws-resource-based-policy-collector';
const main = async () => {
const result = await collect();
// ... Do something with result
};
main();
The collect
function returns an array of objects per-service where each service object contains an array of resource
objects. Each resource object contains a type
and id
to uniquly identify the resource.
Each resource contains a JSON encoded policy
. Only resources with policies are included.
[
{
serviceName: 's3',
resources: [
{
type: 'AWS::S3::Bucket',
id: 'my-bucket',
policy: '', // JSON encoded string
}
]
},
...
]
Supported services
This library currently collects resource-based policies for AWS services listed below.
This list of services is taken from the tables found at AWS services that work with IAM, specifically those services with a Yes or Partial in the Resource-based policies column.
- Lambda
- Serverless Application Repository
- ECR
- AWS Backup
- EFS
- S3 Glacier
- S3
- S3 on AWS Outposts
- Cloud9
- CodeArtifact
- CodeBuild
- IAM
- SecretsManager
- ACM Private Certificate Authority
- KMS
- Lex v2
- CloudWatch Logs
- Systems Manager Incident Manager
- Systems Manager Incident Manager Contacts
- API Gateway
- VPC (endpoints)
- Elemental MediaStore
- OpenSearch
- Glue
- EventBridge
- EventBridge Schemas
- SNS
- SQS
- IoT
- SES v2