Downloading Policies

Usage: policy_sentry download-policies [OPTIONS]

  Download remote IAM policies to a directory for use in the analyze-iam-
  policies command.

Options:
  --recursive           Use this flag to download *all* IAM policies from
                        accounts listed in your AWS credentials file.
  --profile TEXT        To authenticate to AWS and analyze *all* existing IAM
                        policies.
  --aws-managed         Use flag if you want to download AWS Managed policies
                        too.
  --include-unattached  Download both attached and unattached policies.
  --help                Show this message and exit.
  • Make sure you are authenticated to AWS.

Customer-managed policies - one account

  • Run this command:
policy_sentry download-policies --profile dev
  • It will download the policies to $HOME/.policy_sentry/policy-analysis/account-number/customer-managed.
  • You can then run analysis on the entire directory:
policy_sentry analyze

Then it will generate a report based on risky IAM actions for a variety of categories, like Network Exposure, Resource Exposure, Credentials Exposure, or Privilege Escalation.

AWS Managed policies

  • Run this command:
policy_sentry download-policies --profile dev --aws-managed
  • It will download the policies to $HOME/.policy_sentry/policy-analysis/account-number/aws-managed.
  • You can then run analysis on the entire directory:
analyze-iam-policy --policy $HOME/.policy_sentry/policy-analysis/0123456789012/customer-managed --from-access-level permissions-management

Then it will print out the AWS Managed IAM policies that contain actions with “Permissions management” access levels.