![[Prod] MAMIP - GitHub Actions](https://github.com/z0ph/MAMIP/actions/workflows/main.yml/badge.svg?branch=master){kind=icon}
MAMIP is a comprehensive monitoring tool that tracks changes in AWS Managed IAM Policies and provides automated notifications through multiple channels. Built with a serverless architecture using ECS Fargate and Terraform, it ensures continuous monitoring of AWS policy updates with real-time validation using AWS Access Analyzer.
- Automated Policy Monitoring: Continuously tracks all AWS Managed IAM Policies
- Change Detection: Identifies new, updated, and deprecated policies
- Policy Validation: Validates policies using AWS Access Analyzer with detailed findings
- Multi-Channel Notifications: Sends alerts via social media, SNS, and GitHub
- Deprecation Tracking: Maintains historical records of deprecated policies
- Individual Commit History: Each policy change gets its own commit with version tracking
- Serverless Architecture: ECS Fargate with Spot instances for cost optimization
- Infrastructure as Code: Complete Terraform configuration for reproducible deployments
- Container-Based: Docker containerization for consistent execution environments
- GitHub Integration: Secure token-based authentication via AWS Secrets Manager
- Automated CI/CD: GitHub Actions for continuous integration and deployment
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β GitHub Actions ββββββ ECS Fargate ββββββ AWS Services β
β - Scheduled β β - Container β β - IAM APIs β
β - Manual β β - Python App β β - Access Analyzer β
βββββββββββββββββββ ββββββββββββββββββββ β - Secrets Mgr β
β - SNS/SQS β
βββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Data Storage β β Notifications β β Monitoring β
β - policies/ β β - Social Media β β - CloudWatch β
β - findings/ β β - Email/SNS β β - Logs β
β - DEPRECATED β β - GitHub β β - Metrics β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
- Policy Fetching: Script retrieves current AWS Managed Policies
- Change Detection: Compares with local repository to identify changes
- Validation: New/updated policies validated using AWS Access Analyzer
- Storage: Policy documents stored in
policies/, findings infindings/ - Versioning: Individual commits created for each policy change
- Notification: Alerts sent through configured channels
- Cleanup: Deprecated policies moved to tracking list
Choose from multiple ways to receive policy change notifications:
- Bluesky: @mamip.bsky.social
- Twitter/π: @mamip_aws
- Enable "Releases Only" notifications on this repository
- Subscribe to commit RSS feed: GitHub RSS Feed
aws sns subscribe \
--topic-arn arn:aws:sns:eu-west-1:567589703415:mamip-sns-topic \
--protocol email \
--notification-endpoint [email protected]- Watch this repository for commit notifications
- Monitor the
policies/directory for changes
For manual policy checks:
# Local execution
cd automation
python validate-batch.py
# Container execution
docker run -e AWS_REGION=eu-west-1 your-ecr/mamip:latestEach AWS Managed Policy undergoes comprehensive validation using AWS Access Analyzer Policy Validation.
- Syntax Validation: Ensures proper JSON structure
- Security Analysis: Identifies potential security issues
- Best Practice Checks: Validates against AWS recommendations
- Resource Analysis: Checks resource ARN patterns
- Location: All findings stored in
findings/directory - Format: JSON files containing detailed validation results
- Naming: Corresponds to policy names for easy reference
- Types: Warnings, suggestions, and security findings
{
"findings": [
{
"findingType": "WARNING",
"issueCode": "REDUNDANT_STATEMENT",
"findingDetails": "...",
"locations": [...]
}
],
"validatePolicyResponse": {...}
}MAMIP/
βββ automation/ # Core application code
β βββ validate-batch.py # Main validation script
β βββ tf-fargate/ # Terraform infrastructure
β βββ runbook-*.sh # Execution scripts
βββ policies/ # Current AWS Managed Policies
βββ findings/ # Policy validation results
βββ DEPRECATED.json # List of deprecated policies
βββ assets/ # Documentation assets
- Current Policies: Stored in
policies/directory - File Naming: Direct policy name mapping
- Format: AWS IAM policy JSON documents
- Versioning: Git history tracks all changes
Policies no longer maintained by AWS are tracked in DEPRECATED.json:
{
"deprecated_policies": [
{
"policy_name": "ExampleDeprecatedPolicy",
"deprecated_date": "2024-01-15",
"reason": "Replaced by newer policy"
}
]
}- GitHub Integration: Uses AWS Secrets Manager for secure token storage
- AWS Permissions: Least-privilege IAM roles for ECS tasks
- Container Security: Regular base image updates
- GitHub tokens stored in AWS Secrets Manager
- No hardcoded credentials in code
- Environment-specific configuration
The ECS task requires the following AWS permissions:
iam:ListPolicies- Fetch policy listiam:GetPolicyVersion- Retrieve policy documentsaccess-analyzer:ValidatePolicy- Validate policiessecretsmanager:GetSecretValue- Retrieve GitHub tokensns:Publish- Send notificationssqs:SendMessage- Queue social media postss3:GetObject,s3:PutObject- Access artifacts
- Container logs automatically sent to CloudWatch
- Metrics tracking for execution success/failure
- Alerting on validation errors
- Detailed logging throughout execution
- Error handling with automatic retries
- Performance metrics collection
Special thanks to Scott Piper for the original concept. This project extends his idea by:
- Automating the complete monitoring process
- Adding comprehensive policy validation
- Implementing multiple notification channels
- Providing infrastructure as code
- Tracking policy deprecation lifecycle
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Maintained by: @z0ph
Latest Update: Automatically updated every 6 hours
Status: 