Generate IAM policies based on CloudTrail events occurred between the given start and end time, in the given regions, by the given identities.
tkm iam generate-policies \--start-time <start-time> \--end-time <end-time> \--identity <identity>... \--region <region>... \[--role-name <role-name>]
This command is intended to be run with option values generated after running some other command with
--show-generate-iam-policies option. For example, to get the IAM policies needed to deploy a stack, you first need to run the deploy stack command with
--show-generate-iam-policies option, and then run this command using instructions shown after the deploy stack command.
Here's a typical workflow to generate IAM policies needed to deploy some stacks:
Run the deploy stacks command with
--show-generate-iam-policies option and full admin permissions (to ensure the operation doesn't fail due to insufficient permissions). This step should be executed on a non-production environment.
Copy the command to generate IAM policies shown in the deploy stacks command's output.
Wait at least 15 minutes to ensure all events from the previous command are found from CloudTrail.
Run the command you copied in step 2 with a role or user that is allowed to look up events from CloudTrail (see minimum IAM policy for this command).
The command prints the generated policies that you can use to craft the final policies.
This command has no positional arguments.
In addition to the common options, this command has the following options.
--start-time <start time>
Include events from CloudTrail after this time.
Must be in ISO 8601 format, e.g. 2021-10-05T14:48:00.000Z.
--end-time <end time>
Include events from CloudTrail before this time.
Must be in ISO 8601 format, e.g. 2021-10-05T16:48:00.000Z.
Include events from CloudTrail by this identity.
You can use this option multiple times to specify more identities.
Must be a valid IAM identity ARN.
Include events from CloudTrail from this region.
You can use this option multiple times to specify more regions.
If you are generating policies from actions executed against multiple accounts, you need to provide a name of the IAM role for Takomo to assume from each account to collect the CloudTrail events.
These are the minimum IAM permissions required to run this command.
Statement:- Sid: CloudTrailEffect: AllowAction: cloudtrail:LookupEventsResource: "*"# IAM permissions needed only if policies are generated# from multiple accounts. Specify the Resource to restrict# access to specific roles.- Sid: IAMEffect: AllowAction: sts:AssumeRoleResource: "*"
Generate policies for IAM user [email protected] based on actions executed in eu-west-1 and us-east-1 regions:
tkm iam generate-policies \--start-time 2021-05-02T16:45:54.169Z \--end-time 2021-05-02T16:45:54.462Z \--identity arn:aws:iam::123456789012:user/[email protected] \--region eu-west-1 \--region us-east-1