Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy

Pre-built binaries for Windows, macOS and Linux are available for download in the project releases.

Once downloaded, place the extracted binary in your $PATH (or execute in-place). For macOS users, you may need to allow the application to run via System Preferences.

To build and install this application, clone this repository and execute the following from it's base:

go install

You must have Go 1.19 or later installed for the build to work.

You may also install this application using a Homebrew tap with the following command:

brew install iann0036/iamlive/iamlive

• Lambda Extension
• Docker
• GitHub Action (with Terraform)

To start the listener, simply run iamlive in a separate window to your CLI / SDK application. You can use Ctrl+C to exit when you are done.

You can optionally also include the following arguments to the iamlive command:

--set-ini: when set, the .aws/config file will be updated to use the CSM monitoring or CA bundle and removed when exiting (default: false)

--profile: use the specified profile when combined with --set-ini (default: default)

--fails-only: when set, only failed AWS calls will be added to the policy, csm mode only (default: false)

--output-file: specify a file that will be written to on SIGHUP or exit (default: unset)

--refresh-rate: instead of flushing to console every API call, do it this number of seconds (default: 0)

--sort-alphabetical: sort actions alphabetically (default: false)

--host: host to listen on for CSM (default: 127.0.0.1)

--background: when set, the process will return the current PID and run in the background without output (default: false)

--force-wildcard-resource: when set, the Resource will always be a wildcard (default: false)

--mode: the listening mode (csm,proxy) (default: csm)

--bind-addr: the bind address for proxy mode (default: 127.0.0.1:10080)

--ca-bundle: the CA certificate bundle (PEM) to use for proxy mode (default: ~/.iamlive/ca.pem)

--ca-key: the CA certificate key to use for proxy mode (default: ~/.iamlive/ca.key)

--account-id: the AWS account ID to use in policy outputs within proxy mode (default: 123456789012 unless detected)

Basic Example (CSM Mode)

iamlive --set-ini

Basic Example (Proxy Mode)

iamlive --set-ini --mode proxy

Comprehensive Example (CSM Mode)

iamlive --set-ini --profile myprofile --fails-only --output-file policy.json --refresh-rate 1 --sort-alphabetical --host 127.0.0.1 --background

Comprehensive Example (Proxy Mode)

iamlive --set-ini --mode proxy --profile myprofile --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012 --background --force-wildcard-resource

The arguments may also be specified in an INI file located at ~/.iamlive/config.

Client-side monitoring mode is the default behaviour and will use metrics delivered locally via UDP to capture policy statements with the Action key only (Resource is only available in proxy mode).

To enable CSM in the AWS CLI, you should either use the --set-ini option or add the following to the relevant profile in .aws/config:

csm_enabled = true

Alternatively, you can run the following in the window executing your CLI commands:

export AWS_CSM_ENABLED=true

To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:

export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1

Proxy mode will serve a local HTTP(S) server (by default at http://127.0.0.1:10080) that will inspect requests en route to AWS endpoints, enabling iamlive to generate IAM policy statements with both Action and Resource keys. The CA key/certificate bundle is automatically generated and stored in a configurable location (~/.iamlive/ by default).

Four settings are required for proper operation of iamlive proxy mode. All of these are controlled through environment variables, and the AWS-specific one also has a corresponding AWS CLI configuration file setting:

Specifies the path to a certificate bundle to use for HTTPS certificate validation.

If defined, this environment variable overrides the value for the profile setting ca_bundle. You can override this environment variable by using the --ca-bundle command line parameter.

iamlive's --set-ini option automatically sets ca_bundle in your .aws/config profile during the monitoring session, and clears it when the session completes.

These conventional environment variables control proxying behavior of many client applications (e.g. wget and curl), most notably the AWS CLI. These must be exported in the shell of your CLI client session, e.g.:

export {HTTP,HTTPS}_PROXY=http://127.0.0.1:10080
export NO_PROXY=eks.amazonaws.com,github.com

Will forward all http and https traffic, except to endpoints at domains eks.amazonaws.com and github.com, to a proxy at localhost port 10080.

Note that it's important that the http and https proxy addresses are the same, as instructed by the AWS CLI docs.

I get a message "package embed is not in GOROOT" when attempting to build myself

This project requires Go 1.19 or above to be built correctly (due to embedding feature).

This project makes use of Parliament and was assisted by Scott Piper's CSM explainer. Thanks also to Noam Dahan's research into missing iam:PassRole dependant actions.