aws.iam-profile¶
Filters¶
has-specific-managed-policy¶
- Filter an IAM instance profile that contains an IAM role that has a specific managed IAM
policy. If an IAM instance profile does not contain an IAM role, then it will be treated as not having the policy.
- example:
Check for instance profile roles with ‘admin-policy’ attached:
policies:
- name: iam-profiles-have-admin
resource: aws.iam-profile
filters:
- type: has-specific-managed-policy
value: admin-policy
- example:
Check for instance profile roles with an attached policy matching a given list:
policies:
- name: iam-profiles-with-selected-policies
resource: aws.iam-profile
filters:
- type: has-specific-managed-policy
value:
- AmazonS3FullAccess
- AWSOrganizationsFullAccess
- example:
Check for instance profile roles with attached policy names matching a pattern:
policies:
- name: iam-profiles-with-full-access-policies
resource: aws.iam-profile
filters:
- type: has-specific-managed-policy
op: glob
value: "*FullAccess"
Check for instance profile roles with attached policy ARNs matching a pattern:
policies:
- name: iam-profiles-with-aws-full-access-policies
resource: aws.iam-profile
filters:
- type: has-specific-managed-policy
key: PolicyArn
op: regex
value: "arn:aws:iam::aws:policy/.*FullAccess"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- has-specific-managed-policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:ListAttachedRolePolicies
unused¶
Filter IAM profiles that are not being used
- example:
policies:
- name: iam-instance-profiles-not-in-use
resource: iam-profile
filters:
- type: unused
properties:
type:
enum:
- unused
required:
- type
Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices
used¶
Filter IAM profiles that are being used.
- example:
policies:
- name: iam-instance-profiles-in-use
resource: iam-profile
filters:
- type: used
properties:
type:
enum:
- used
required:
- type
Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices
Actions¶
set-policy¶
Set a specific IAM policy as attached or detached on an instance profile role.
You will identify the policy by its arn.
Returns a list of roles modified by the action.
For example, if you want to automatically attach a single policy while detaching all exisitng policies:
- example:
- name: iam-attach-instance-profile-role-policy resource: iam-profile filters: - not: - type: has-specific-managed-policy value: my-iam-policy actions: - type: set-policy state: attached arn: arn:aws:iam::123456789012:policy/my-iam-policy
properties:
arn:
type: string
state:
enum:
- attached
- detached
type:
enum:
- set-policy
required:
- state
- arn
- type
Permissions - iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies
set-role¶
- Upserts specified role name for IAM instance profiles.
Instance profile roles are removed when empty role name is specified.
- example:
policies:
- name: iam-instance-profile-set-role
resource: iam-profile
actions:
- type: set-role
role: my-test-role
properties:
role:
type: string
type:
enum:
- set-role
required:
- type
Permissions - iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile