aws.iam-profile

Filters

• config-compliance

• event

• finding

• has-specific-managed-policy

• list-item

• ops-item

• reduce

• unused

• used

• value

has-specific-managed-policy

Filter an IAM instance profile that contains an IAM role that has a specific managed IAM

policy. If an IAM instance profile does not contain an IAM role, then it will be treated as not having the policy.

example:

Check for instance profile roles with ‘admin-policy’ attached:

policies:
  - name: iam-profiles-have-admin
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        value: admin-policy

example:

Check for instance profile roles with an attached policy matching a given list:

policies:
  - name: iam-profiles-with-selected-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        value:
          - AmazonS3FullAccess
          - AWSOrganizationsFullAccess

example:

Check for instance profile roles with attached policy names matching a pattern:

policies:
  - name: iam-profiles-with-full-access-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        op: glob
        value: "*FullAccess"

Check for instance profile roles with attached policy ARNs matching a pattern:

policies:
  - name: iam-profiles-with-aws-full-access-policies
    resource: aws.iam-profile
    filters:
      - type: has-specific-managed-policy
        key: PolicyArn
        op: regex
        value: "arn:aws:iam::aws:policy/.*FullAccess"

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - has-specific-managed-policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListAttachedRolePolicies

unused

Filter IAM profiles that are not being used

example:

policies:
  - name: iam-instance-profiles-not-in-use
    resource: iam-profile
    filters:
      - type: unused

properties:
  type:
    enum:
    - unused
required:
- type

Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

used

Filter IAM profiles that are being used.

example:

policies:
  - name: iam-instance-profiles-in-use
    resource: iam-profile
    filters:
      - type: used

properties:
  type:
    enum:
    - used
required:
- type

Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

Actions

• invoke-lambda

• invoke-sfn

• notify

• post-finding

• post-item

• put-metric

• set-policy

• set-role

• webhook

set-policy

Set a specific IAM policy as attached or detached on an instance profile role.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a single policy while detaching all exisitng policies:

example:

- name: iam-attach-instance-profile-role-policy
  resource: iam-profile
  filters:
  - not:
    - type: has-specific-managed-policy
      value: my-iam-policy
  actions:
  - type: set-policy
    state: attached
    arn: arn:aws:iam::123456789012:policy/my-iam-policy

properties:
  arn:
    type: string
  state:
    enum:
    - attached
    - detached
  type:
    enum:
    - set-policy
required:
- state
- arn
- type

Permissions - iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies

set-role

Upserts specified role name for IAM instance profiles.

Instance profile roles are removed when empty role name is specified.

example:

policies:
  - name: iam-instance-profile-set-role
    resource: iam-profile
    actions:
        - type: set-role
          role: my-test-role

properties:
  role:
    type: string
  type:
    enum:
    - set-role
required:
- type

Permissions - iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile