In my company I have no access to AWS console but our company's AWS administrator creates an EC2 instance and lets me access to it through ssh.

When I ask for a creation of EC2 instance, I give the policies I need for the EC2 instance.

However, the administrator often forgets to associate some policies to the EC2 instance.

Therefore, I want to automate the process of checking my EC2 instance if it has enought authority to do some behaviors for example as below.

Action: cloudwatch:GetMetricData - Resource: *
Action: rds:DescribeExportTasks - Resource: *
Action: rds:StartExportTask - Resource: *
Action: rds:DescribeDBSnapshots - Resource: arn:aws:rds::region:account:snapshot:*

I did some research and reached to aws-cli and found some commands for checking so but wondering if there are any ways to do so without asking for more authority just for checking the instance.

Any help will be appreciated. Thanks in advance.

CodePudding user response：

You can get the policies attached to your EC2 instance with few steps.
1: Get the name of your EC2 role.
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-123456789
You will get role name with the above command.

2: List role policies
aws iam list-role-policies --role-name my-instance-role-name
With the above command you will get all the policies attached to it.

3: Describe policies.
aws iam get-role-policy --role-name my-instance-role-name --policy-name attachedpolicyname
With the above command, you will get the polciy in json.

UPDATE: With the get-role-policy you get only the inline policies.

For other policies, you need one more step.

4: List non-inline policies attahced to the role.
aws iam list-attached-role-policies --role-name my-instance-role-name