From 2cc257b3e4e18ca53daaa36a7bce00a03a6e4c9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.net>
Date: Thu, 7 Jun 2018 10:30:00 +0100
Subject: [PATCH] Add tool to find users for compromised keys on aws

---
 tools/find-iam-user-for-access-key.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 tools/find-iam-user-for-access-key.py

diff --git a/tools/find-iam-user-for-access-key.py b/tools/find-iam-user-for-access-key.py
new file mode 100644
index 00000000..0e29e39b
--- /dev/null
+++ b/tools/find-iam-user-for-access-key.py
@@ -0,0 +1,21 @@
+import boto.iam
+import sys
+
+TARGET_ACCESS_KEY = sys.argv[1]
+
+iam = boto.connect_iam()
+
+users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
+
+def find_key():
+	for user in users:
+		for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
+			aws_access_key = key_result['access_key_id']
+			if aws_access_key == TARGET_ACCESS_KEY:
+				print 'Target key belongs to:'
+				print 'user : ' + user['user_name']
+				return True
+	return False
+
+if not find_key():
+    print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'