在这里,我使用 boto 命令执行四个操作 -
- 列出所有用户
- 列出附加到每个用户的策略
- 列出添加到每个用户的角色
- 列出Mfa设备,查看用户是否已配置MFA(这里不是检查MFA是否未启用,而是检查设备是否已由用户配置。)
获取 IAM 与 AWS 账户的连接
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
获取 IAM 用户这将打印所有用户名。如果您还想打印其他详细信息,您可以自定义。
users = client.list_users()
for key in users['Users']:
print key['UserName']
获取附加到每个用户的策略列表
for key in users['Users']:
List_of_Policies = client.list_user_policies(UserName=key['UserName'])
for key in List_of_Policies['PolicyNames']:
print key['PolicyName']
获取附加到每个用户的组列表
for key in users['Users']:
List_of_Groups = client.list_groups_for_user(UserName=key['UserName'])
for key in List_of_Groups['Groups']:
print key['GroupName']
检查 MFA 设备是否已配置
for key in users['Users']:
List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
for key in List_of_MFA_Devices['MFADevices']:
print key
您可以进一步检查List_of_MFA_Devices['MFADevices']是否为空。如果为空,则表示未配置 MFA 设备。
如果要将输出添加为字典列表,其中每个索引将包含字典,该字典具有 userName、Groups、Policy、isMFA_flag_configured 或 not 的值对。使用以下代码 -
import boto3
client = boto3.client('iam',aws_access_key_id="XXXX",aws_secret_access_key="YYY")
users = client.list_users()
user_list = []
for key in users['Users']:
result = {}
Policies = []
Groups=[]
result['userName']=key['UserName']
List_of_Policies = client.list_user_policies(UserName=key['UserName'])
result['Policies'] = List_of_Policies['PolicyNames']
List_of_Groups = client.list_groups_for_user(UserName=key['UserName'])
for Group in List_of_Groups['Groups']:
Groups.append(Group['GroupName'])
result['Groups'] = Groups
List_of_MFA_Devices = client.list_mfa_devices(UserName=key['UserName'])
if not len(List_of_MFA_Devices['MFADevices']):
result['isMFADeviceConfigured']=False
else:
result['isMFADeviceConfigured']=True
user_list.append(result)
for key in user_list:
print key
上述代码的输出 -
{'userName':'user1','组':['grp1','grp2'],'策略':['policy1','policy2],'isMFADeviceConfigured':False/True}
{'userName':'user2','组':['grp1','grp2'],'策略':['policy1','policy2],'isMFADeviceConfigured':False/True}