This project will be a simple implementation of the UnusedAnalyzer using the AWS SDK for Rust.
Here is an official blog post about UnusedAnalyzer.
And it's documentation is here.
After studying how the official UnusedAnalyzer works, I don’t quite understand why this feature was designed as a paid feature. After all, its core algorithm is to compare if a - b > c.
So I wanted to make a free version or it with AWS SDK.
It's a CLI tools, with help message:
cargo run -- --help
Usage: aws-unused-analyzer [OPTIONS]
Options:
-r, --region <REGION>
-a, --access-key <ACCESS_KEY>
-s, --secret-key <SECRET_KEY>
-u, --unused-access-age <UNUSED_ACCESS_AGE> [default: 90]Instead of running with source code which require cargo toolchain, you can also run with release binary:
aws-unused-analyzer --helpaws-unused-analyzer --a <ACCESS_KEY> --s <SECRET_KEY> -u 30It will use the arguments first, if not provided, it will use the environment variables.
how to set environment variables for AWS SDK: doc
Wait for a while(depends on the number of IAM Users and Roles), you will get the output file in the current directory.
echo unused_findings.json
{
"resource": "arn:aws:iam::1234567890:role/TestRole",
"resource_type": "AwsIamRole",
"resource_owner_account": "1234567890",
"id": "99f66ff9-5763-4e8f-9284-f2aebf3df753",
"finding_details": [
{
"UnusedPermissionDetails": {
"actions": null,
"service_namespace": "s3",
"last_accessed": "2024-02-29T12:37:10Z"
}
}
],
"finding_type": "UnusedPermission"
}- Implement the account unused analyzer generating same output as the official one.
- Implement the finding recommendation for UnusedPermission of Role. (updated at 6.18 re:Inforce 2024)
- Implement the organization unused analyzer feature (using user defined role maybe).
- ...to be finded out.
This project is licensed under the MIT License - see the LICENSE file for details.