aws.iam-group

Filters

• check-permissions

• config-compliance

• event

• finding

• has-inline-policy

• has-specific-managed-policy

• has-users

• json-diff

• list-item

• ops-item

• reduce

• usage

• value

has-inline-policy

Filter IAM groups that have an inline-policy based on boolean value: True: Filter all groups that have an inline-policy attached False: Filter all groups that do not have an inline-policy attached

example:

- name: iam-groups-with-inline-policy
  resource: iam-group
  filters:
    - type: has-inline-policy
      value: True

properties:
  type:
    enum:
    - has-inline-policy
  value:
    type: boolean
required:
- type

Permissions - iam:ListGroupPolicies

has-specific-managed-policy

Filter IAM groups that have a specific policy attached

For example, if the user wants to check all groups with ‘admin-policy’:

example:

policies:
  - name: iam-groups-have-admin
    resource: iam-group
    filters:
      - type: has-specific-managed-policy
        value: admin-policy

properties:
  type:
    enum:
    - has-specific-managed-policy
  value:
    type: string
required:
- type

Permissions - iam:ListAttachedGroupPolicies

has-users

Filter IAM groups that have users attached based on True/False value: True: Filter all IAM groups with users assigned to it False: Filter all IAM groups without any users assigned to it

example:

- name: empty-iam-group
  resource: iam-group
  filters:
    - type: has-users
      value: False

properties:
  type:
    enum:
    - has-users
  value:
    type: boolean
required:
- type

Permissions - iam:GetGroup

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

• delete

• delete-inline-policies

• invoke-lambda

• invoke-sfn

• notify

• post-finding

• post-item

• put-metric

• set-policy

• webhook

delete

Delete an IAM User Group.

For example, if you want to delete a group named ‘test’.

example:

- name: iam-delete-user-group
  resource: aws.iam-group
  filters:
    - type: value
      key: GroupName
      value: test
  actions:
    - type: delete
      force: True

properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - iam:DeleteGroup, iam:RemoveUserFromGroup

delete-inline-policies

Delete inline policies embedded in an IAM group.

example:

- name: iam-delete-group-policies
  resource: aws.iam-group
  filters:
    - type: value
      key: GroupName
      value: test
  actions:
    - type: delete-inline-policies

properties:
  type:
    enum:
    - delete-inline-policies
required:
- type

Permissions - iam:ListGroupPolicies, iam:DeleteGroupPolicy

set-policy

Set a specific IAM policy as attached or detached on a group.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a single policy while detaching all exisitng policies:

example:

- name: iam-attach-group-policy
  resource: iam-group
  actions:
    - type: set-policy
      state: detached
      arn: "*"
    - type: set-policy
      state: attached
      arn: arn:aws:iam::{account_id}:policy/my-iam-policy

properties:
  arn:
    type: string
  state:
    enum:
    - attached
    - detached
  type:
    enum:
    - set-policy
required:
- state
- arn
- type

Permissions - iam:AttachGroupPolicy, iam:DetachGroupPolicy, iam:ListAttachedGroupPolicies