This quick shell script uses the aws cli to pull the policy documents for a set of AWS credentials. It can also optionally scan the policy documents with https://github.com/salesforce/cloudsplaining

get_aws_cred_permissions.sh

#!/bin/bash
explain='false'
profile='default'
if ! command -v aws &> /dev/null
then
    echo "aws cli command could not be found, please install before using this"
    exit
else
	echo "aws cli command found, continuing"
fi

if ! command -v jq &> /dev/null
then
    echo "jq command could not be found, please install before using this"
    exit
else
	echo "jq command found, continuing"
fi

while getopts 'xp:' OPTION; do
  case "$OPTION" in
    x)
      if ! command -v cloudsplaining &> /dev/null
	  then
    	echo "cloudsplaining not installed. please install to use the -x flag "
      	exit
	  else
		echo "cloudsplaining command found, continuing"
		explain="true"
	  fi
      ;;
    p)
      profile="${OPTARG}"
	  ;;
    ?)
      echo "script usage: ./get_aws_cred_permissions.sh [-x] [-p profile_name]" >&2
      exit 1
      ;;
  esac
done

echo "using profile $profile"

echo "pulling caller identity"
role=$(aws --profile $profile sts get-caller-identity | jq -r ".Arn")

#if the caller is an assumed role
if [[ "$role" == *":role"* ]]; then
  echo "role $role identified"
  role=$(echo $role | cut -d "/" -f 2)
  echo "getting role's inline policies"
  for inline_policy in $(aws iam list-role-policies --role-name $role | jq -r -c '.PolicyNames|.[]'); do
  	echo "fetching policy $inline_policy"
  	p=$(aws iam get-role-policy --role-name $role --policy-name $inline_policy)
  	echo $p| jq .
  	echo $p > ${inline_policy}.json
  	if [ "$explain" = "true" ]; then
  		echo "scanning policy with cloudsplaining"
    	cloudsplaining scan-policy-file --input-file ./${inline_policy}.json
	fi
  done

  echo "getting role's attached policies"
  for attached_policy in $(aws iam list-attached-role-policies --role-name $role | jq -r -c '.AttachedPolicies|.[]|.PolicyArn'); do
  	policy_doc=$(aws iam get-policy --policy-arn $attached_policy)
  	policy_version=$(echo $policy_doc | jq -r '.Policy|.DefaultVersionId')
  	policy_name=$(echo $policy_doc | jq -r '.Policy|.PolicyName')
  	echo "fetching policy document for $policy_name version $policy_version"
  	p=$(aws iam get-policy-version --policy-arn $attached_policy --version-id $policy_version)
  	echo $p| jq .
  	echo $p > ${policy_name}.json
  	if [ "$explain" = "true" ]; then
  		echo "scanning policy with cloudsplaining"
    	cloudsplaining scan-policy-file --input-file ./${policy_name}.json
	fi
  done 
fi

#if the caller is a user
if [[ "$role" == *":user"* ]]; then
  echo "user $role identified"
  role=$(echo $role | cut -d "/" -f 2)
  echo "getting user's inline policies"
  for inline_policy in $(aws iam list-user-policies --user-name $role | jq -r -c '.PolicyNames|.[]'); do
  	echo "fetching policy $inline_policy"
  	p=$(aws iam get-user-policy --user-name $role --policy-name $inline_policy)
  	echo $p | jq .
  	echo $p > ${inline_policy}.json
  	if [ "$explain" = "true" ]; then
  		echo "scanning policy with cloudsplaining"
    	cloudsplaining scan-policy-file --input-file ./${inline_policy}.json
	fi
  done

  echo "getting user's attached policies"
  for attached_policy in $(aws iam list-attached-user-policies --user-name $role | jq -r -c '.AttachedPolicies|.[]|.PolicyArn'); do
  	policy_doc=$(aws iam get-policy --policy-arn $attached_policy)
  	policy_version=$(echo $policy_doc | jq -r '.Policy|.DefaultVersionId')
  	policy_name=$(echo $policy_doc | jq -r '.Policy|.PolicyName')
  	echo "fetching policy document for $policy_name version $policy_version"
  	p=$(aws iam get-policy-version --policy-arn $attached_policy --version-id $policy_version)
  	echo $p| jq .
  	echo $p > ${policy_name}.json
  	if [ "$explain" = "true" ]; then
  		echo "scanning policy with cloudsplaining"
    	cloudsplaining scan-policy-file --input-file ./${policy_name}.json
	fi
  done  
fi