in aws-cloudknox-config/lambda/CloudKnox_IAMRightsize.py [0:0]
def clean_unused_iam_policies(client, iam_user, remediated_iam_policy_list=None):
"""
clean excess unused permissions from user
:param client: iam client
:param iam_user: iam user
:param remediated_iam_policy_list: list of required policy names
"""
list_attached_user_policies_resp = client.list_attached_user_policies(UserName=iam_user)
logger.info(f'list_attached_user_policies_resp {list_attached_user_policies_resp}')
if len(list_attached_user_policies_resp['AttachedPolicies']) > 0:
for policy in list_attached_user_policies_resp['AttachedPolicies']:
policy_arn = policy['PolicyArn']
if policy['PolicyName'] not in remediated_iam_policy_list:
logger.info(f'policy {policy_arn} to be detached')
detach_user_policy_resp = client.detach_user_policy(UserName=iam_user, PolicyArn=policy_arn)
logger.info(f'detach_user_policy for {policy_arn} response {detach_user_policy_resp}')
else:
logger.info(f'policy {policy_arn} skipped')
list_groups_for_user_resp = client.list_groups_for_user(UserName=iam_user)
logger.info(f'list_groups_for_user_resp {list_groups_for_user_resp}')
if len(list_groups_for_user_resp['Groups']) > 0:
for group in list_groups_for_user_resp['Groups']:
group_name = group['GroupName']
logger.info(f'group {group_name} to be detached')
remove_user_from_group_resp = client.remove_user_from_group(GroupName=group_name, UserName=iam_user)
logger.info(f'remove_user_from_group for {group_name} response {remove_user_from_group_resp}')
list_user_policies_resp = client.list_user_policies(UserName=iam_user)
logger.info(f'list_user_policies_resp {list_user_policies_resp}')
if len(list_user_policies_resp['PolicyNames']) > 0:
for policy in list_user_policies_resp['PolicyNames']:
logger.info(f'user inline policy {policy} to be deleted')
delete_user_policy_resp = client.delete_user_policy(UserName=iam_user, PolicyName=policy)
logger.info(f'delete_user_policy for {policy} response {delete_user_policy_resp}')