[ocdnix]

Reminds me of Lyft's thing from a couple of months ago: https://news.ycombinator.com/item?id=25000950

I would love to get answers to questions like "which users have access to resource X, including implicitly through one or more assume-role jumps, across these N accounts, including stuff like iam:PassRole, even including tag-based policies?". Add a time dimension too, like "who had access to X between Jun and Aug 2020?", and you'd have a winner. Would such queries be possible here?

[fatjohnny]

The joins are very powerful. For example - you can connect a lambda function to its IAM role and then right through to the attached policies. We have quite a few join examples scattered through the AWS table docs. For tags, Steampipe actually normalizes a tags column across AWS, Azure, GCP & DigitalOcean tables. It's always available as a JSONB {"foo":"bar"} format, even if the source was labels like DigitalOcean, so definitely possible to find resources with specific tags. We have multi-account on the near-term roadmap, but the idea of historical searches is a super interesting and challenging idea… we haven’t started to contemplate yet. Perhaps using snapshots into a materialized view would work for comparisons over time?

[whoknew1122]

I just glanced over the source, but I think the answer is no in both cases.

> "which users have access to resource X, including implicitly through one or more assume-role jumps, across these N accounts, including stuff like iam:PassRole, even including tag-based policies?"

This would be difficult to pull off because you'd need to make separate calls to each of your accounts to determine this sort of thing. And if you're looking at assuming roles through mulitple accounts, you have to consider whether external Ids are defined.

And if external Ids are defined, how do you handle that? Do you assume the caller has the external Id?

> "who had access to X between Jun and Aug 2020?"

This one would be easier, but would require integration with AWS Config.