Generate a basic IAM policy from AWS client-side monitoring (CSM)
Pre-built binaries for Windows, macOS and Linux are available for download in the project releases.
Once downloaded, place the extracted binary in your $PATH (or execute in-place). For macOS users, you may need to allow the application to run via System Preferences.
To build and install this application, clone this repository and execute the following from it's base:
go install
You must have Go 1.16 or later installed for the build to work.
To start the listener, simply run iamlive
in a separate window to your CLI / SDK application. You can use Ctrl+C to exit when you are done.
You can optionally also include the following arguments to the iamlive
command:
--set-ini: when set, the .aws/config
file will be updated to use the CSM monitoring and removed when exiting (default: false)
--profile: use the specified profile when combined with --set-ini
(default: default)
--fails-only: when set, only failed AWS calls will be added to the policy (default: false)
--output-file: specify a file that will be written to on SIGHUP or exit (default: unset)
--refresh-rate: instead of flushing to console every API call, do it this number of seconds (default: 0)
--sort-alphabetical: sort actions alphabetically (default: false)
Example
iamlive --set-ini --profile myprofile --fails-only --output-file policy.json --refresh-rate 1 --sort-alphabetical
To enable CSM in the AWS CLI, you should either use the --set-ini
option or add the following to the relevant profile in .aws/config
:
csm_enabled = true
Alternatively, you can run the following in the window executing your CLI commands:
export AWS_CSM_ENABLED=true
To enable CSM in the various AWS SDKs, you can run the following in the window executing your application prior to it starting:
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
I get a message "package embed is not in GOROOT" when attempting to build myself
This project requires Go 1.16 or above to be built correctly (due to embedding feature).
Can we include specifics for the Resource and Condition fields?
No, the CSM protocol does not support it and cannot be changed.
This project makes heavy use of Parliament and was assisted by Scott Piper's CSM explainer.