aws.iam-policy

Filters

has-allow-all

Check if IAM policy resource(s) have allow-all IAM policy statement block.

This allows users to implement CIS AWS check 1.24 which states that no policy must exist with the following requirements.

Policy must have ‘Action’ and Resource = ‘*’ with ‘Effect’ = ‘Allow’

The policy will trigger on the following IAM policy (statement). For example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "*",
        "Resource": "*",
        "Effect": "Allow"
    }]
}

Additionally, the policy checks if the statement has no ‘Condition’ or ‘NotAction’.

For example, if the user wants to check all used policies and filter on allow all:

- name: iam-no-used-all-all-policy
  resource: iam-policy
  filters:
    - type: used
    - type: has-allow-all

Note that scanning and getting all policies and all statements can take a while. Use it sparingly or combine it with filters such as ‘used’ as above.

properties:
  type:
    enum:
    - has-allow-all
required:
- type

unused

Filter IAM policies that are not being used (neither attached to any roles nor used as a permissions boundary).

example

policies:
  - name: iam-policy-unused
    resource: iam-policy
    filters:
      - type: unused
properties:
  type:
    enum:
    - unused
required:
- type

used

Filter IAM policies that are being used (either attached to some roles or used as a permissions boundary).

example

policies:
  - name: iam-policy-used
    resource: iam-policy
    filters:
      - type: used
properties:
  type:
    enum:
    - used
required:
- type

Actions

delete

Delete an IAM Policy.

For example, if you want to automatically delete all unused IAM policies.

example
- name: iam-delete-unused-policies
  resource: iam-policy
  filters:
    - type: unused
  actions:
    - delete
properties:
  type:
    enum:
    - delete
required:
- type