Aardvark
Aardvark is a multi-account AWS IAM Access Advisor API
| Category | Identity & Access Management |
|---|---|
| GitHub Stars | 474 |
| Last Commit | 3 months ago |
| This page updated | a month ago |
| Pricing Details | Free and open-source under Apache License 2.0 |
| Target Audience | AWS administrators and security teams managing multi-account environments. |
Aardvark addresses the complex challenge of managing and optimizing IAM access across multiple AWS accounts by providing a centralized API and caching layer. This tool is particularly useful in large, multi-account AWS environments where manual tracking of IAM permissions can become cumbersome.
Technically, Aardvark is built using Python and relies on the AWS IAM Access Advisor API to gather and cache access data. The setup involves configuring an IAM role to assume in each account and specifying a database connection, with SQLite being the default but RDS Postgres recommended for production environments. The tool can also integrate with SWAG for account enumeration, which is especially handy in setups with numerous accounts.
Operationally, Aardvark consists of three main components when deployed with Docker and Docker Compose: an init container to create the database, an API server to serve the data, and a collector daemon to periodically fetch and cache the access data. The API supports GET and POST requests, with results paginated and controllable via count and page arguments. For example, you can query advisors by ARN or use regex to filter results.
Key considerations include the need for periodic runs of the collector daemon to keep the cache up-to-date and the potential for increased database storage needs as the number of accounts and permissions grows. Additionally, while Aardvark provides comprehensive visibility into IAM access, it requires careful configuration and monitoring to ensure it scales effectively with your AWS environment.