Skip to content

clarkemn/aws-priv-actions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github/workflows
.github/workflows
 
 
aws_priv_actions
aws_priv_actions
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
renovate.json
renovate.json
 
 
uv.lock
uv.lock
 
 

Repository files navigation

AWS Privileged Actions CLI (aws-priv-actions)

A command-line interface for performing privileged actions on AWS member accounts in an organization, when Centralized Root Management is enabled.

⚠️ Disclaimer

This software allows you to assume AWS IAM root privileges, which can have significant security and operational impacts if misused. Use with caution. The authors and contributors provide this software "as is", without warranty of any kind, express or implied. You are solely responsible for any actions taken using this tool.

Why?

As of the time of writing, there is no AWS API to fetch the list of available task policies. This is a workaround to allow you to perform privileged actions on AWS member accounts in an organization.

This was built as a simple tool to allow Operators to use the assume-root feature of AWS Centralized Root Management in critical situations requring root access, without having to pour over AWS CLI documentation.

Installation

pip install aws-priv-actions

Prerequisites

  • Python 3.8 or higher
  • AWS CLI configured with appropriate credentials
  • Required IAM permissions to perform privileged actions

Usage

List Available Task Policies

aws-priv-actions list-policies

Assume Root Privileges

aws-priv-actions assume-root <target-principal> <task-policy> [--duration-seconds SECONDS] [--region REGION] [--verbose]
  • The --region flag is required for the assume-root command, as the AWS global STS endpoint is not supported for this operation. If not provided, you will be prompted interactively (default: us-east-1).
  • The CLI always uses the correct regional STS endpoint (e.g., sts.us-east-1.amazonaws.com).

Example (with region flag):

aws-priv-actions assume-root arn:aws:iam::123456789012:root IAMAuditRootUserCredentials --region us-east-1 --verbose

Example (interactive region prompt):

aws-priv-actions assume-root arn:aws:iam::123456789012:root IAMAuditRootUserCredentials
Enter the AWS region to use for STS (must be a regional endpoint) [us-east-1]:

Available Task Policies

  • IAMAuditRootUserCredentials: Audit root user credentials
  • IAMCreateRootUserPassword: Create root user password
  • IAMDeleteRootUserCredentials: Delete root user credentials
  • S3UnlockBucketPolicy: Unlock S3 bucket policy
  • SQSUnlockQueuePolicy: Unlock SQS queue policy

Development

  1. Clone the repository

  2. Install UV (if not already installed):

    curl -LsSf https://astral.sh/uv/install.sh | sh

  3. Install development dependencies:

    uv pip install -e .

  4. Run tests:

    pytest

License

MIT License

About

CLI to perform "privileged actions" on member accounts in AWS Organizations

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages