Post

IAM LIVE and AWS NUKE: 2 more tools for your Kit

Posted Updated
Preview Image
By Roman Tsypuk 2 min read

Abstract

At the 2022 Reinvent conference, a number of open-source CLI tools were unveiled, including IAM Live.

This CLI tool functions as a proxy, intercepting AWS CLI requests and automatically generating IAM policies based on the resources and actions performed within the AWS CLI. Another noteworthy tool showcased at the conference was AWS Nuke, a critical utility designed to perform a complete cleanup of an AWS account. Although it can be risky, this tool is highly useful, especially for prototyping or learning new skills, as it ensures that any unneeded resources are deleted to avoid excessive billing charges.

IAM LIVE

Installation

1

brew install iann0036/iamlive/iamlive

1

iamlive --set-ini

After start iamlive will update ~/.aws/config by adding csm_enabled = true:

1
2
3
4

[default]
csm_enabled = true
region = us-west-1
output = json

Run aws cli

1

aws s3 ls

Iam live output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    }
  ]
}

Running one more command to get other resource types (call lambda service):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

 aws lambda list-functions  --query 'Functions[*].[FunctionName]'
[
    [
        "proto-subscribe"
    ],
    [
        "proto-publisher-sns"
    ],
    [
        "proto-sqs-subscriber"
    ],
    [
        "proto-publisher"
    ],
    [
        "proto-publisher-sqs"
    ]
]

Output of IAM live is updated with added one more Action:

1
2
3
4
5
6
7
8
9
10
11
12
13

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "lambda:ListFunctions"
      ],
      "Resource": "*"
    }
  ]
}

Results

Here is the screen with opened IAM Live - on the left side and AWS-shell on the right:

screen.img

AWS NUKE

Installation

1

brew install aws-nuke

Usage

Configure nuke-config.yml:

1
2
3
4
5
6
7
8
9

regions:
- eu-west-1
- global

account-blocklist:
- "999999999999" # production

accounts:
  "000000000000": {} # aws-nuke-example

Running nuke on AWS account, the output will contain the list of resources that will be cleanup:

1

aws-nuke -c config/nuke-config.yml --profile aws-nuke-example

With option --no-dry-run to confirm resources deletion:

1

aws-nuke -c config/nuke-config.yml --profile aws-nuke-example --no-dry-run
aws, tools
aws tools
This post is licensed under CC BY 4.0 by the author.