aws.iam-group¶
Filters¶
has-inline-policy¶
Filter IAM groups that have an inline-policy based on boolean value: True: Filter all groups that have an inline-policy attached False: Filter all groups that do not have an inline-policy attached
- example
- name: iam-groups-with-inline-policy
resource: iam-group
filters:
- type: has-inline-policy
value: True
properties:
type:
enum:
- has-inline-policy
value:
type: boolean
required:
- type
Permissions - iam:ListGroupPolicies
has-users¶
Filter IAM groups that have users attached based on True/False value: True: Filter all IAM groups with users assigned to it False: Filter all IAM groups without any users assigned to it
- example
- name: empty-iam-group
resource: iam-group
filters:
- type: has-users
value: False
properties:
type:
enum:
- has-users
value:
type: boolean
required:
- type
Permissions - iam:GetGroup
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions¶
delete¶
Delete an IAM User Group.
For example, if you want to delete a group named ‘test’.
- example
- name: iam-delete-user-group resource: aws.iam-group filters: - type: value key: GroupName value: test actions: - type: delete force: True
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - iam:DeleteGroup, iam:RemoveUserFromGroup
delete-inline-policies¶
Delete inline policies embedded in an IAM group.
- example
- name: iam-delete-group-policies resource: aws.iam-group filters: - type: value key: GroupName value: test actions: - type: delete-inline-policies
properties:
type:
enum:
- delete-inline-policies
required:
- type
Permissions - iam:ListGroupPolicies, iam:DeleteGroupPolicy