aws.iam-profile

Filters

has-specific-managed-policy

Filter an IAM instance profile that contains an IAM role that has a specific managed IAM

policy. If an IAM instance profile does not contain an IAM role, then it will be treated as not having the policy.

example

Check for instance profile roles with ‘admin-policy’ attached:

policies:
  - name: iam-profiles-have-admin
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        value: admin-policy
example

Check for instance profile roles with an attached policy matching a given list:

policies:
  - name: iam-profiles-with-selected-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        value:
          - AmazonS3FullAccess
          - AWSOrganizationsFullAccess
example

Check for instance profile roles with attached policy names matching a pattern:

policies:
  - name: iam-profiles-with-full-access-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        op: glob
        value: "*FullAccess"

Check for instance profile roles with attached policy ARNs matching a pattern:

policies:
  - name: iam-profiles-with-aws-full-access-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        key: PolicyArn
        op: regex
        value: "arn:aws:iam::aws:policy/.*FullAccess"
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - has-specific-managed-policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - iam:ListAttachedRolePolicies

unused

Filter IAM profiles that are not being used

example

policies:
  - name: iam-instance-profiles-not-in-use
    resource: iam-profile
    filters:
      - type: unused
properties:
  type:
    enum:
    - unused
required:
- type

Permissions - lambda:ListFunctions, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

used

Filter IAM profiles that are being used.

example

policies:
  - name: iam-instance-profiles-in-use
    resource: iam-profile
    filters:
      - type: used
properties:
  type:
    enum:
    - used
required:
- type

Permissions - lambda:ListFunctions, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

Actions

set-role

Upserts specified role name for IAM instance profiles.

Instance profile roles are removed when empty role name is specified.

example

policies:
  - name: iam-instance-profile-set-role
    resource: iam-profile
    actions:
        - type: set-role
          role: my-test-role
properties:
  role:
    type: string
  type:
    enum:
    - set-role
required:
- type

Permissions - iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile