AWS resource-based policy collector

This library aims to collect resource-based policies from an AWS account.

NOTE: This library does not cover all AWS services which support resource-based policies and has not been rigurously tested! Refer to supported services below.

Install

yarn install aws-resource-based-policy-collector

Usage

Your environment must be configured with valid AWS credentials. See Setting credentials in Node.js. You credentials must be authorised to perform read-only actions within your account.

import { collect } from 'aws-resource-based-policy-collector';

const main = async () => {
  const result = await collect();
  // ... Do something with result
};

main();

The collect function returns an array of objects per-service where each service object contains an array of resource objects. Each resource object contains a type and id to uniquly identify the resource.

Each resource contains a JSON encoded policy. Only resources with policies are included.

[
  {
    serviceName: 's3',
    resources: [
      {
        type: 'AWS::S3::Bucket',
        id: 'my-bucket',
        policy: '', // JSON encoded string
      }
    ]
  },
  ...
]

Supported services

This library currently collects resource-based policies for AWS services listed below.

This list of services is taken from the tables found at AWS services that work with IAM, specifically those services with a Yes or Partial in the Resource-based policies column.

• Lambda
• Serverless Application Repository
• ECR
• AWS Backup
• EFS
• S3 Glacier
• S3
• S3 on AWS Outposts
• Cloud9
• CodeArtifact
• CodeBuild
• IAM
• SecretsManager
• ACM Private Certificate Authority
• KMS
• Lex v2
• CloudWatch Logs
• Systems Manager Incident Manager
• Systems Manager Incident Manager Contacts
• API Gateway
• VPC (endpoints)
• Elemental MediaStore
• OpenSearch
• Glue
• EventBridge
• EventBridge Schemas
• SNS
• SQS
• IoT
• SES v2