aws.iam-policy

Filters

• check-permissions

• config-compliance

• event

• finding

• has-allow-all

• json-diff

• list-item

• marked-for-op

• ops-item

• reduce

• unused

• usage

• used

• value

has-allow-all

Check if IAM policy resource(s) have allow-all IAM policy statement block.

This allows users to implement CIS AWS check 1.24 which states that no policy must exist with the following requirements.

Policy must have ‘Action’ and Resource = ‘*’ with ‘Effect’ = ‘Allow’

The policy will trigger on the following IAM policy (statement). For example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "*",
        "Resource": "*",
        "Effect": "Allow"
    }]
}

Additionally, the policy checks if the statement has no ‘Condition’ or ‘NotAction’.

For example, if the user wants to check all used policies and filter on allow all:

- name: iam-no-used-all-all-policy
  resource: iam-policy
  filters:
    - type: used
    - type: has-allow-all

Note that scanning and getting all policies and all statements can take a while. Use it sparingly or combine it with filters such as ‘used’ as above.

properties:
  type:
    enum:
    - has-allow-all
required:
- type

Permissions - iam:ListPolicies, iam:ListPolicyVersions

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

unused

Filter IAM policies that are not being used (neither attached to any roles nor used as a permissions boundary).

example:

policies:
  - name: iam-policy-unused
    resource: iam-policy
    filters:
      - type: unused

properties:
  type:
    enum:
    - unused
required:
- type

Permissions - iam:ListPolicies

used

Filter IAM policies that are being used (either attached to some roles or used as a permissions boundary).

example:

policies:
  - name: iam-policy-used
    resource: iam-policy
    filters:
      - type: used

properties:
  type:
    enum:
    - used
required:
- type

Permissions - iam:ListPolicies

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• tag

• webhook

delete

Delete an IAM Policy.

For example, if you want to automatically delete all unused IAM policies.

example:

- name: iam-delete-unused-policies
  resource: iam-policy
  filters:
    - type: unused
  actions:
    - delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - iam:DeletePolicy