aws.iam-policy

Filters

• check-permissions

• config-compliance

• event

• finding

• has-allow-all

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• unused

• usage

• used

• value

has-allow-all

Check if IAM policy resource(s) have allow-all IAM policy statement block.

This allows users to implement CIS AWS check 1.24 which states that no policy must exist with the following requirements.

Policy must have ‘Action’ and Resource = ‘*’ with ‘Effect’ = ‘Allow’

The policy will trigger on the following IAM policy (statement). For example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "*",
        "Resource": "*",
        "Effect": "Allow"
    }]
}

Additionally, the policy checks if the statement has no ‘Condition’ or ‘NotAction’.

For example, if the user wants to check all used policies and filter on allow all:

- name: iam-no-used-all-all-policy
  resource: iam-policy
  filters:
    - type: used
    - type: has-allow-all

Note that scanning and getting all policies and all statements can take a while. Use it sparingly or combine it with filters such as ‘used’ as above.

properties:
  type:
    enum:
    - has-allow-all
required:
- type

Permissions - iam:ListPolicies, iam:ListPolicyVersions

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

unused

Filter IAM policies that are not being used (neither attached to any roles nor used as a permissions boundary).

example:

policies:
  - name: iam-policy-unused
    resource: iam-policy
    filters:
      - type: unused

properties:
  type:
    enum:
    - unused
required:
- type

Permissions - iam:ListPolicies

used

Filter IAM policies that are being used (either attached to some roles or used as a permissions boundary).

example:

policies:
  - name: iam-policy-used
    resource: iam-policy
    filters:
      - type: used

properties:
  type:
    enum:
    - used
required:
- type

Permissions - iam:ListPolicies

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• rename-tag

• tag

• webhook

delete

Delete an IAM Policy.

For example, if you want to automatically delete all unused IAM policies.

example:

- name: iam-delete-unused-policies
  resource: iam-policy
  filters:
    - type: unused
  actions:
    - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - iam:DeletePolicy

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App

properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources