iam

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SeverityCritical = "critical"
	SeverityHigh     = "high"
	SeverityMedium   = "medium"
	SeverityLow      = "low"
	SeverityInfo     = "info"
)

Severity levels for findings

View Source 
const (
	FindingOverpermissivePolicy   = "overpermissive_policy"
	FindingAdminAccess            = "admin_access"
	FindingWildcardResource       = "wildcard_resource"
	FindingUnusedRole             = "unused_role"
	FindingCrossAccountTrust      = "cross_account_trust"
	FindingMissingMFA             = "missing_mfa"
	FindingOldAccessKeys          = "old_access_keys"
	FindingInactiveKeys           = "inactive_keys"
	FindingRootAccountUsage       = "root_account_usage"
	FindingPublicS3Access         = "public_s3_access"
	FindingExcessivePermissions   = "excessive_permissions"
	FindingMissingResourceScoping = "missing_resource_scoping"
)

Finding types

View Source 
const (
	ActionUpdatePolicy        = "update_policy"
	ActionCreatePolicyVersion = "create_policy_version"
	ActionAttachPolicy        = "attach_policy"
	ActionDetachPolicy        = "detach_policy"
	ActionDeletePolicyVersion = "delete_policy_version"
	ActionDeactivateAccessKey = "deactivate_access_key"
	ActionDeleteAccessKey     = "delete_access_key"
	ActionRotateAccessKey     = "rotate_access_key"
	ActionUpdateTrustPolicy   = "update_trust_policy"
)

Action types for fix commands

View Source 
const (
	ResponseTypeResult   = "result"
	ResponseTypePlan     = "plan"
	ResponseTypeFindings = "findings"
	ResponseTypeError    = "error"
)

Response types

View Source 
const MaxAnswerLengthInContext = 500

MaxAnswerLengthInContext limits how much of previous answers to include in context

View Source 
const MaxHistoryEntries = 20

MaxHistoryEntries limits the conversation history size

Variables

This section is empty.

Functions

func GetAccountSummaryContext 

func GetAccountSummaryContext(summary *AccountSummary) string

GetAccountSummaryContext returns a formatted string of IAM account summary

func GetFinalResponsePrompt 

func GetFinalResponsePrompt(question, iamData, conversationContext string) string

GetFinalResponsePrompt returns the prompt for generating the final user-facing response

func GetFixPlanPrompt 

func GetFixPlanPrompt(finding SecurityFinding, currentPolicy string) string

GetFixPlanPrompt returns the prompt for generating a fix plan for a security finding

func GetLLMAnalysisPrompt 

func GetLLMAnalysisPrompt(question string, iamContext string) string

GetLLMAnalysisPrompt returns the prompt for LLM to analyze what IAM operations are needed

func GetPermissionAnalysisPrompt 

func GetPermissionAnalysisPrompt(question string, permissions []string, context string) string

GetPermissionAnalysisPrompt returns the prompt for analyzing specific permissions

func GetSecurityAnalysisPrompt 

func GetSecurityAnalysisPrompt(resourceType, resourceName, policyDocument string) string

GetSecurityAnalysisPrompt returns the prompt for analyzing a policy document for security issues

func GetTrustPolicyAnalysisPrompt 

func GetTrustPolicyAnalysisPrompt(roleName, trustPolicy string) string

GetTrustPolicyAnalysisPrompt returns the prompt for analyzing a trust policy

Types

type AccessKeyInfo 

type AccessKeyInfo struct {
	UserName        string     `json:"user_name"`
	AccessKeyId     string     `json:"access_key_id"`
	Status          string     `json:"status"`
	CreateDate      time.Time  `json:"create_date"`
	LastUsedDate    *time.Time `json:"last_used_date,omitempty"`
	LastUsedService string     `json:"last_used_service,omitempty"`
	LastUsedRegion  string     `json:"last_used_region,omitempty"`
}

AccessKeyInfo contains access key metadata

type AccountSummary 

type AccountSummary struct {
	RoleCount        int `json:"role_count"`
	PolicyCount      int `json:"policy_count"`
	UserCount        int `json:"user_count"`
	GroupCount       int `json:"group_count"`
	InstanceProfiles int `json:"instance_profiles"`
	MFADevices       int `json:"mfa_devices"`
	AccessKeys       int `json:"access_keys"`
}

AccountSummary represents a summary of IAM resources in an account

type Agent 

type Agent struct {
	// contains filtered or unexported fields
}

Agent orchestrates IAM operations

func NewAgentWithOptions 

func NewAgentWithOptions(opts AgentOptions) (*Agent, error)

NewAgentWithOptions creates a new IAM agent with the specified options

func (*Agent) ApplyFixPlan 

func (a *Agent) ApplyFixPlan(ctx context.Context, plan *FixPlan, confirm bool) error

ApplyFixPlan applies a fix plan

func (*Agent) ClearConversation 

func (a *Agent) ClearConversation()

ClearConversation clears the conversation history

func (*Agent) GetAccountID 

func (a *Agent) GetAccountID() string

GetAccountID returns the AWS account ID

func (*Agent) GetAnalyzer 

func (a *Agent) GetAnalyzer() *analyzer.SubAgent

GetAnalyzer returns the analyzer subagent

func (*Agent) GetClient 

func (a *Agent) GetClient() *Client

GetClient returns the IAM client

func (*Agent) GetFixer 

func (a *Agent) GetFixer() *fixer.SubAgent

GetFixer returns the fixer subagent

func (*Agent) HandleQuery 

func (a *Agent) HandleQuery(ctx context.Context, query string, opts QueryOptions) (*Response, error)

HandleQuery handles an IAM query and returns a response

type AgentOptions 

type AgentOptions struct {
	Profile string
	Region  string
	Debug   bool
}

AgentOptions configures the IAM agent

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client wraps the AWS IAM SDK client

func NewClient 

func NewClient(profile, region string, debug bool) (*Client, error)

NewClient creates a new IAM client with the specified profile and region

func (*Client) AttachRolePolicy 

func (c *Client) AttachRolePolicy(ctx context.Context, roleName, policyARN string) error

AttachRolePolicy attaches a managed policy to a role

func (*Client) CreatePolicyVersion 

func (c *Client) CreatePolicyVersion(ctx context.Context, policyARN, document string, setAsDefault bool) error

CreatePolicyVersion creates a new version of an IAM policy

func (*Client) DeletePolicyVersion 

func (c *Client) DeletePolicyVersion(ctx context.Context, policyARN, versionID string) error

DeletePolicyVersion deletes a specific version of an IAM policy

func (*Client) DetachRolePolicy 

func (c *Client) DetachRolePolicy(ctx context.Context, roleName, policyARN string) error

DetachRolePolicy detaches a managed policy from a role

func (*Client) ExecuteOperations 

func (c *Client) ExecuteOperations(ctx context.Context, operations []IAMOperation) (string, error)

ExecuteOperations executes IAM operations in parallel and returns combined results

func (*Client) GetAccountID 

func (c *Client) GetAccountID() string

GetAccountID returns the AWS account ID

func (*Client) GetAccountSummary 

func (c *Client) GetAccountSummary(ctx context.Context) (*AccountSummary, error)

GetAccountSummary returns IAM account summary statistics

func (*Client) GetCredentialReport 

func (c *Client) GetCredentialReport(ctx context.Context) (*CredentialReport, error)

GetCredentialReport generates and returns the credential report

func (*Client) GetPolicyDocument 

func (c *Client) GetPolicyDocument(ctx context.Context, policyARN string) (*PolicyDetail, error)

GetPolicyDocument returns the policy document for a managed policy

func (*Client) GetRoleDetails 

func (c *Client) GetRoleDetails(ctx context.Context, roleName string) (*RoleDetail, error)

GetRoleDetails returns detailed information about a specific role

func (*Client) GetRolePolicyDocument 

func (c *Client) GetRolePolicyDocument(ctx context.Context, roleName, policyName string) (string, error)

GetRolePolicyDocument returns the policy document for an inline policy

func (*Client) ListAccessKeys 

func (c *Client) ListAccessKeys(ctx context.Context, userName string) ([]AccessKeyInfo, error)

ListAccessKeys returns access keys for a user

func (*Client) ListGroups 

func (c *Client) ListGroups(ctx context.Context) ([]GroupInfo, error)

ListGroups returns all IAM groups

func (*Client) ListPolicies 

func (c *Client) ListPolicies(ctx context.Context) ([]PolicyInfo, error)

ListPolicies returns all customer-managed IAM policies

func (*Client) ListRoles 

func (c *Client) ListRoles(ctx context.Context) ([]RoleInfo, error)

ListRoles returns all IAM roles in the account

func (*Client) ListUsers 

func (c *Client) ListUsers(ctx context.Context) ([]UserInfo, error)

ListUsers returns all IAM users

func (*Client) UpdateAccessKey 

func (c *Client) UpdateAccessKey(ctx context.Context, userName, accessKeyID, status string) error

UpdateAccessKey updates the status of an access key

func (*Client) UpdateAssumeRolePolicy 

func (c *Client) UpdateAssumeRolePolicy(ctx context.Context, roleName, document string) error

UpdateAssumeRolePolicy updates the trust policy for a role

type ConversationEntry 

type ConversationEntry struct {
	Timestamp time.Time `json:"timestamp"`
	Question  string    `json:"question"`
	Answer    string    `json:"answer"`
	AccountID string    `json:"account_id"`
}

ConversationEntry represents a single Q&A exchange

type ConversationHistory 

type ConversationHistory struct {
	Entries     []ConversationEntry `json:"entries"`
	AccountID   string              `json:"account_id"`
	LastSummary *AccountSummary     `json:"last_summary,omitempty"`
	// contains filtered or unexported fields
}

ConversationHistory maintains conversation state for IAM ask mode

func NewConversationHistory 

func NewConversationHistory(accountID string) *ConversationHistory

NewConversationHistory creates a new conversation history for an account

func (*ConversationHistory) AddEntry 

func (h *ConversationHistory) AddEntry(question, answer, accountID string)

AddEntry adds a new conversation entry

func (*ConversationHistory) Clear 

func (h *ConversationHistory) Clear()

Clear clears all conversation history

func (*ConversationHistory) GetAccountSummary 

func (h *ConversationHistory) GetAccountSummary() *AccountSummary

GetAccountSummary returns the cached account summary

func (*ConversationHistory) GetAccountSummaryContext 

func (h *ConversationHistory) GetAccountSummaryContext() string

GetAccountSummaryContext returns a string representation of account summary suitable for inclusion in LLM prompts

func (*ConversationHistory) GetRecentContext 

func (h *ConversationHistory) GetRecentContext(maxEntries int) string

GetRecentContext returns recent conversation context as a formatted string for inclusion in LLM prompts

func (*ConversationHistory) Load 

func (h *ConversationHistory) Load() error

Load loads conversation history from disk

func (*ConversationHistory) Save 

func (h *ConversationHistory) Save() error

Save persists the conversation history to disk

func (*ConversationHistory) UpdateAccountSummary 

func (h *ConversationHistory) UpdateAccountSummary(summary *AccountSummary)

UpdateAccountSummary updates the cached account summary

type CredentialReport 

type CredentialReport struct {
	GeneratedTime time.Time               `json:"generated_time"`
	Users         []CredentialReportEntry `json:"users"`
}

CredentialReport represents an IAM credential report

type CredentialReportEntry 

type CredentialReportEntry struct {
	User                      string     `json:"user"`
	ARN                       string     `json:"arn"`
	UserCreationTime          time.Time  `json:"user_creation_time"`
	PasswordEnabled           bool       `json:"password_enabled"`
	PasswordLastUsed          *time.Time `json:"password_last_used,omitempty"`
	PasswordLastChanged       *time.Time `json:"password_last_changed,omitempty"`
	PasswordNextRotation      *time.Time `json:"password_next_rotation,omitempty"`
	MFAActive                 bool       `json:"mfa_active"`
	AccessKey1Active          bool       `json:"access_key_1_active"`
	AccessKey1LastRotated     *time.Time `json:"access_key_1_last_rotated,omitempty"`
	AccessKey1LastUsedDate    *time.Time `json:"access_key_1_last_used_date,omitempty"`
	AccessKey1LastUsedRegion  string     `json:"access_key_1_last_used_region,omitempty"`
	AccessKey1LastUsedService string     `json:"access_key_1_last_used_service,omitempty"`
	AccessKey2Active          bool       `json:"access_key_2_active"`
	AccessKey2LastRotated     *time.Time `json:"access_key_2_last_rotated,omitempty"`
	AccessKey2LastUsedDate    *time.Time `json:"access_key_2_last_used_date,omitempty"`
	AccessKey2LastUsedRegion  string     `json:"access_key_2_last_used_region,omitempty"`
	AccessKey2LastUsedService string     `json:"access_key_2_last_used_service,omitempty"`
}

CredentialReportEntry represents a single user entry in the credential report

type FixCommand 

type FixCommand struct {
	ID          string                 `json:"id"`
	Action      string                 `json:"action"`
	ResourceARN string                 `json:"resource_arn"`
	Parameters  map[string]interface{} `json:"parameters"`
	Reason      string                 `json:"reason"`
	Rollback    *FixCommand            `json:"rollback,omitempty"`
}

FixCommand represents a single remediation command

type FixPlan 

type FixPlan struct {
	ID        string          `json:"id"`
	Summary   string          `json:"summary"`
	Finding   SecurityFinding `json:"finding"`
	Commands  []FixCommand    `json:"commands"`
	Notes     []string        `json:"notes,omitempty"`
	Warnings  []string        `json:"warnings,omitempty"`
	CreatedAt time.Time       `json:"created_at"`
}

FixPlan represents a plan to remediate a security finding

type GroupInfo 

type GroupInfo struct {
	GroupName  string    `json:"group_name"`
	GroupARN   string    `json:"group_arn"`
	Path       string    `json:"path"`
	CreateDate time.Time `json:"create_date"`
}

GroupInfo contains basic group information

type IAMAnalysis 

type IAMAnalysis struct {
	Operations []IAMOperation `json:"operations"`
	Analysis   string         `json:"analysis"`
}

IAMAnalysis represents the LLM's analysis of what IAM operations are needed

type IAMOperation 

type IAMOperation struct {
	Operation  string                 `json:"operation"`
	Reason     string                 `json:"reason"`
	Parameters map[string]interface{} `json:"parameters"`
}

IAMOperation represents an IAM operation requested by the LLM

type IAMOperationResult 

type IAMOperationResult struct {
	Operation string
	Result    string
	Error     error
	Index     int
}

IAMOperationResult represents the result of an IAM operation

type InlinePolicy 

type InlinePolicy struct {
	PolicyName     string `json:"policy_name"`
	PolicyDocument string `json:"policy_document"`
}

InlinePolicy represents an inline policy attached to a role

type PolicyDetail 

type PolicyDetail struct {
	PolicyInfo
	PolicyDocument string            `json:"policy_document"`
	Versions       []PolicyVersion   `json:"versions,omitempty"`
	Tags           map[string]string `json:"tags,omitempty"`
}

PolicyDetail contains detailed policy information including document

type PolicyDocument 

type PolicyDocument struct {
	Version   string      `json:"Version"`
	Statement []Statement `json:"Statement"`
}

PolicyDocument represents a parsed IAM policy document

func ParsePolicyDocument 

func ParsePolicyDocument(document string) (*PolicyDocument, error)

ParsePolicyDocument parses a JSON policy document string

type PolicyInfo 

type PolicyInfo struct {
	PolicyName       string    `json:"policy_name"`
	PolicyARN        string    `json:"policy_arn"`
	Path             string    `json:"path"`
	CreateDate       time.Time `json:"create_date"`
	UpdateDate       time.Time `json:"update_date"`
	AttachmentCount  int32     `json:"attachment_count"`
	IsAttachable     bool      `json:"is_attachable"`
	DefaultVersionId string    `json:"default_version_id"`
	Description      string    `json:"description,omitempty"`
}

PolicyInfo contains basic policy information

type PolicyVersion 

type PolicyVersion struct {
	VersionId        string    `json:"version_id"`
	IsDefaultVersion bool      `json:"is_default_version"`
	CreateDate       time.Time `json:"create_date"`
	Document         string    `json:"document,omitempty"`
}

PolicyVersion represents a specific version of an IAM policy

type QueryOptions 

type QueryOptions struct {
	AccountWide bool   `json:"account_wide"`
	RoleARN     string `json:"role_arn,omitempty"`
	PolicyARN   string `json:"policy_arn,omitempty"`
	UserName    string `json:"user_name,omitempty"`
	GroupName   string `json:"group_name,omitempty"`
}

QueryOptions configures how IAM queries are executed

type Response 

type Response struct {
	Type     string            `json:"type"`
	Content  string            `json:"content,omitempty"`
	Plan     *FixPlan          `json:"plan,omitempty"`
	Findings []SecurityFinding `json:"findings,omitempty"`
	Error    error             `json:"error,omitempty"`
}

Response represents the IAM agent response

type RoleDetail 

type RoleDetail struct {
	RoleInfo
	AttachedPolicies []PolicyInfo   `json:"attached_policies"`
	InlinePolicies   []InlinePolicy `json:"inline_policies"`
	InstanceProfiles []string       `json:"instance_profiles,omitempty"`
	LastUsed         *time.Time     `json:"last_used,omitempty"`
}

RoleDetail contains detailed role information including policies

type RoleInfo 

type RoleInfo struct {
	RoleName                 string            `json:"role_name"`
	RoleARN                  string            `json:"role_arn"`
	Path                     string            `json:"path"`
	CreateDate               time.Time         `json:"create_date"`
	Description              string            `json:"description,omitempty"`
	MaxSessionDuration       int32             `json:"max_session_duration"`
	AssumeRolePolicyDocument string            `json:"assume_role_policy_document"`
	Tags                     map[string]string `json:"tags,omitempty"`
}

RoleInfo contains basic role information

type SecurityFinding 

type SecurityFinding struct {
	ID          string   `json:"id"`
	Severity    string   `json:"severity"`
	Type        string   `json:"type"`
	ResourceARN string   `json:"resource_arn"`
	Description string   `json:"description"`
	Remediation string   `json:"remediation"`
	Actions     []string `json:"actions,omitempty"`
	Resources   []string `json:"resources,omitempty"`
}

SecurityFinding represents a security issue found during IAM analysis

type Statement 

type Statement struct {
	Sid       string      `json:"Sid,omitempty"`
	Effect    string      `json:"Effect"`
	Principal interface{} `json:"Principal,omitempty"`
	Action    interface{} `json:"Action"`
	Resource  interface{} `json:"Resource"`
	Condition interface{} `json:"Condition,omitempty"`
}

Statement represents a single statement in an IAM policy

type TrustPolicy 

type TrustPolicy struct {
	Version   string           `json:"Version"`
	Statement []TrustStatement `json:"Statement"`
}

TrustPolicy represents a parsed trust policy

type TrustStatement 

type TrustStatement struct {
	Effect    string      `json:"Effect"`
	Principal interface{} `json:"Principal"`
	Action    interface{} `json:"Action"`
	Condition interface{} `json:"Condition,omitempty"`
}

TrustStatement represents a statement in a trust policy

type UserInfo 

type UserInfo struct {
	UserName         string            `json:"user_name"`
	UserARN          string            `json:"user_arn"`
	Path             string            `json:"path"`
	CreateDate       time.Time         `json:"create_date"`
	PasswordLastUsed *time.Time        `json:"password_last_used,omitempty"`
	Tags             map[string]string `json:"tags,omitempty"`
}

UserInfo contains basic user information

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.