error

[adrian-rt]

raceback (most recent call last):
File "./aws_escalate.py", line 533, in
main(args)
File "./aws_escalate.py", line 41, in main
current_user = client.get_user()['User']
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::aaaaaaa:user/xxxxxx@yyyyyyyy is not authorized to perform: iam:GetUser on resource: user xxxx@yyyyyyyyy with an explicit deny

my AWS user doesn't have permission to run:

current_user = client.get_user()['User'] (line 41) and it stops there.

Can you do something about this?

Thanks,
A

[chrisdlangton]

Considering this repo is no longer maintained and it popped on my radar today, i'll try helping you.

Essentially, this script "checks users" (and roles).

If you cannot query to get a list of users (the error) you have no use for this script.

If you want to run this script, then you will need the AWS Managed Policies (job-function/ViewOnlyAccess and SecurityAudit) as a shortcut, but it would be better to hand craft the right permissions for this python script based on the code in this script (if you can read the code) for your own IAM policy. Post the policy JSON here for others to find if you make the effort.