![[Prod] MAMIP - GitHub Actions](https://github.com/z0ph/MAMIP/actions/workflows/main.yml/badge.svg?branch=master){kind=icon}
MAMIP is a comprehensive monitoring tool that tracks changes in AWS Managed IAM Policies and provides automated notifications through multiple channels. Built with a serverless architecture using ECS Fargate and Terraform, it ensures continuous monitoring of AWS policy updates with real-time validation using AWS Access Analyzer.
- Automated Policy Monitoring: Continuously tracks all AWS Managed IAM Policies
- Change Detection: Identifies new, updated, and deprecated policies
- Policy Validation: Validates policies using AWS Access Analyzer with detailed findings
- Multi-Channel Notifications: Sends alerts via social media, SNS, and GitHub
- Deprecation Tracking: Maintains historical records of deprecated policies
- Individual Commit History: Each policy change gets its own commit with version tracking
- Serverless Architecture: ECS Fargate with Spot instances for cost optimization
- Infrastructure as Code: Complete Terraform configuration for reproducible deployments
- Container-Based: Docker containerization for consistent execution environments
- GitHub Integration: Secure token-based authentication via AWS Secrets Manager
- Automated CI/CD: GitHub Actions for continuous integration and deployment
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ GitHub Actions │────│ ECS Fargate │────│ AWS Services │
│ - Scheduled │ │ - Container │ │ - IAM APIs │
│ - Manual │ │ - Python App │ │ - Access Analyzer │
└─────────────────┘ └──────────────────┘ │ - Secrets Mgr │
│ - SNS/SQS │
└─────────────────┘
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Data Storage │ │ Notifications │ │ Monitoring │
│ - policies/ │ │ - Social Media │ │ - CloudWatch │
│ - findings/ │ │ - Email/SNS │ │ - Logs │
│ - DEPRECATED │ │ - GitHub │ │ - Metrics │
└─────────────────┘ └──────────────────┘ └─────────────────┘
- Policy Fetching: Script retrieves current AWS Managed Policies
- Change Detection: Compares with local repository to identify changes
- Validation: New/updated policies validated using AWS Access Analyzer
- Storage: Policy documents stored in
policies/, findings infindings/ - Versioning: Individual commits created for each policy change
- Notification: Alerts sent through configured channels
- Cleanup: Deprecated policies moved to tracking list
Choose from multiple ways to receive policy change notifications:
- Bluesky: @mamip.bsky.social
- Twitter/𝕏: @mamip_aws
- Enable "Releases Only" notifications on this repository
- Subscribe to commit RSS feed: GitHub RSS Feed
aws sns subscribe \
--topic-arn arn:aws:sns:eu-west-1:567589703415:mamip-sns-topic \
--protocol email \
--notification-endpoint [email protected]- Watch this repository for commit notifications
- Monitor the
policies/directory for changes
For manual policy checks:
# Local execution
cd automation
python validate-batch.py
# Container execution
docker run -e AWS_REGION=eu-west-1 your-ecr/mamip:latestEach AWS Managed Policy undergoes comprehensive validation using AWS Access Analyzer Policy Validation.
- Syntax Validation: Ensures proper JSON structure
- Security Analysis: Identifies potential security issues
- Best Practice Checks: Validates against AWS recommendations
- Resource Analysis: Checks resource ARN patterns
- Location: All findings stored in
findings/directory - Format: JSON files containing detailed validation results
- Naming: Corresponds to policy names for easy reference
- Types: Warnings, suggestions, and security findings
{
"findings": [
{
"findingType": "WARNING",
"issueCode": "REDUNDANT_STATEMENT",
"findingDetails": "...",
"locations": [...]
}
],
"validatePolicyResponse": {...}
}MAMIP/
├── automation/ # Core application code
│ ├── validate-batch.py # Main validation script
│ ├── tf-fargate/ # Terraform infrastructure
│ └── runbook-*.sh # Execution scripts
├── policies/ # Current AWS Managed Policies
├── findings/ # Policy validation results
├── DEPRECATED.json # List of deprecated policies
└── assets/ # Documentation assets
- Current Policies: Stored in
policies/directory - File Naming: Direct policy name mapping
- Format: AWS IAM policy JSON documents
- Versioning: Git history tracks all changes
Policies no longer maintained by AWS are tracked in DEPRECATED.json:
{
"deprecated_policies": [
{
"policy_name": "ExampleDeprecatedPolicy",
"deprecated_date": "2024-01-15",
"reason": "Replaced by newer policy"
}
]
}- GitHub Integration: Uses AWS Secrets Manager for secure token storage
- AWS Permissions: Least-privilege IAM roles for ECS tasks
- Container Security: Regular base image updates
- GitHub tokens stored in AWS Secrets Manager
- No hardcoded credentials in code
- Environment-specific configuration
The ECS task requires the following AWS permissions:
iam:ListPolicies- Fetch policy listiam:GetPolicyVersion- Retrieve policy documentsaccess-analyzer:ValidatePolicy- Validate policiessecretsmanager:GetSecretValue- Retrieve GitHub tokensns:Publish- Send notificationssqs:SendMessage- Queue social media postss3:GetObject,s3:PutObject- Access artifacts
- Container logs automatically sent to CloudWatch
- Metrics tracking for execution success/failure
- Alerting on validation errors
- Detailed logging throughout execution
- Error handling with automatic retries
- Performance metrics collection
Special thanks to Scott Piper for the original concept. This project extends his idea by:
- Automating the complete monitoring process
- Adding comprehensive policy validation
- Implementing multiple notification channels
- Providing infrastructure as code
- Tracking policy deprecation lifecycle
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Maintained by: @z0ph
Latest Update: Automatically updated every 6 hours
Status: 