How can we quickly identify which users and roles have access to a given action (and resource) in an AWS account?
Erik Steringer built the Principal Mapper (pmapper) as the answer to that question. It uses the existing simulator APIs to determine which users and roles have access to each other. It provides a query interface on top of this data. When you check if a principal is able to do an action, pmapper is checking with the principal and any principals it has access to.
pmapper is available for download on the NCC Group GitHub: https://github.com/nccgroup/PMapper
Learn more about pmapper in Erik Steringer’s blog post.