IAM

Get unused security groups

#!/bin/bash
 
#Get all security groups and check against network interfaces thety are allocated to.
echo "" > security_groups.txt
for SG in
$(aws ec2 describe-security-groups --profile nonprod_admin | jq --raw-output '.[][] | [.GroupId, .GroupName, .Description ] | @csv')
do
echo $SG
#echo $SG | tee  security_groups.txt | cut -f1 -d | aws ec2 describe-network-interfaces --filters Name=group-id,Values=${SG} --profile nonprod_admin
done
 
# Clean up our temporary mess
rm security_groups.txt

List roles

$ aws iam list-roles --profile dev_admin | jq .[][].RoleName | grep -i 'dev\|test\|nonprod'
"AJS-stepFunctionTest"
"AndrewLambdaTest"
"codebuild-test-service-role"
"codebuild-test-service-role22"
"developer"

Assume role

#!/bin/bash
 
ROLEARN='arn:aws:iam::12121212121212:role/myrole_ec2'
 
for ACCOUNT in 123412341234 432143214321
do
      printf "Using account ${ACCOUNT}"
      RESULT=$(aws sts assume-role --role-arn "arn:aws:iam::${ACCOUNT}:role/${ROLEARN}" --role-session-name AWSCLI-Session)
 
      export $(echo "${RESULT}" | jq .[]key-or-similar)
      export $(echo "${RESULT}" | jq .[]secret-stuff)
      export $(echo "${RESULT}" | jq .[]session-stuff) 
 
      aws sts get-caller-identity  # Should show info from assumed role in ${ACCOUNT}
done

AWS SSO

For times when you need to authenticate on a remote system without a browser. If you get a redirect to 127.0.0.1 failure error messge, this is for you:-

aws configure sso --use-device-code

Table of Contents

IAM

Get unused security groups

List roles

Assume role

AWS SSO