aws.iam-role

Filters

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - iam:ListRoles

has-inline-policy

Filter IAM roles that have an inline-policy attached True: Filter roles that have an inline-policy False: Filter roles that do not have an inline-policy

example:

policies:
  - name: iam-roles-with-inline-policies
    resource: iam-role
    filters:
      - type: has-inline-policy
        value: True
properties:
  type:
    enum:
    - has-inline-policy
  value:
    type: boolean
required:
- type

Permissions - iam:ListRolePolicies

has-specific-managed-policy

Find IAM roles that have a specific policy attached

example:

Check for roles with ‘admin-policy’ attached:

policies:
  - name: iam-roles-have-admin
    resource: aws.iam-role
    filters:
      - type: has-specific-managed-policy
        value: admin-policy
example:

Check for roles with an attached policy matching a given list:

policies:
  - name: iam-roles-with-selected-policies
    resource: aws.iam-role
    filters:
      - type: has-specific-managed-policy
        op: in
        value:
          - AmazonS3FullAccess
          - AWSOrganizationsFullAccess
example:

Check for roles with attached policy names matching a pattern:

policies:
  - name: iam-roles-with-full-access-policies
    resource: aws.iam-role
    filters:
      - type: has-specific-managed-policy
        op: glob
        value: "*FullAccess"

Check for roles with attached policy ARNs matching a pattern:

policies:
  - name: iam-roles-with-aws-full-access-policies
    resource: aws.iam-role
    filters:
      - type: has-specific-managed-policy
        key: PolicyArn
        op: regex
        value: "arn:aws:iam::aws:policy/.*FullAccess"
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - has-specific-managed-policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:ListAttachedRolePolicies

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

no-specific-managed-policy

Filter IAM roles that do not have a specific policy attached

For example, if the user wants to check all roles without ‘ip-restriction’:

example:

policies:
  - name: iam-roles-no-ip-restriction
    resource: iam-role
    filters:
      - type: no-specific-managed-policy
        value: ip-restriction
properties:
  type:
    enum:
    - no-specific-managed-policy
  value:
    type: string
required:
- type

Permissions - iam:ListAttachedRolePolicies

unused

Filter IAM roles that are either being used or not

This filter has been deprecated. Please use the ‘used’ filter with the ‘state’ attribute to get unused iam roles

Checks for usage on EC2, Lambda, ECS only

example:

policies:
  - name: iam-roles-not-in-use
    resource: iam-role
    filters:
      - type: used
        state: false
properties:
  type:
    enum:
    - unused
required:
- type

Permissions - lambda:ListFunctions, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

used

Filter IAM roles that are either being used or not

Checks for usage on EC2, Lambda, ECS only

example:

policies:
  - name: iam-role-in-use
    resource: iam-role
    filters:
      - type: used
        state: true
properties:
  state:
    type: boolean
  type:
    enum:
    - used
required:
- type

Permissions - lambda:ListFunctions, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices

Actions

delete

Delete an IAM Role.

To delete IAM Role you must first delete the policies that are associated with the role. Also, you need to remove the role from all instance profiles that the role is in.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html

For this case option ‘force’ is used. If you set it as ‘true’, policies that are associated with the role would be detached (inline policies would be removed) and all instance profiles the role is in would be removed as well as the role.

For example, if you want to automatically delete an unused IAM role.

example:
- name: iam-delete-unused-role
  resource: iam-role
  filters:
    - type: usage
      match-operator: all
      LastAuthenticated: null
  actions:
    - type: delete
      force: true
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - iam:DeleteRole, iam:DeleteInstanceProfile

set-boundary

Set IAM Permission boundary on an IAM Role or User.

A role or user can only have a single permission boundary set.

properties:
  policy:
    type: string
  state:
    enum:
    - present
    - absent
  type:
    enum:
    - set-boundary
required:
- type

Permissions - iam:PutRolePermissionsBoundary

set-policy

Set a specific IAM policy as attached or detached on a role.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a policy to all roles which don’t have it…

example:
- name: iam-attach-role-policy
  resource: iam-role
  filters:
    - type: no-specific-managed-policy
      value: my-iam-policy
  actions:
    - type: set-policy
      state: detached
      arn: "*"
    - type: set-policy
      state: attached
      arn: arn:aws:iam::123456789012:policy/my-iam-policy
properties:
  arn:
    type: string
  state:
    enum:
    - attached
    - detached
  type:
    enum:
    - set-policy
required:
- state
- arn
- type

Permissions - iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies