aws.iam-role¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - iam:ListRoles
has-inline-policy¶
Filter IAM roles that have an inline-policy attached True: Filter roles that have an inline-policy False: Filter roles that do not have an inline-policy
- example:
policies:
- name: iam-roles-with-inline-policies
resource: iam-role
filters:
- type: has-inline-policy
value: True
properties:
type:
enum:
- has-inline-policy
value:
type: boolean
required:
- type
Permissions - iam:ListRolePolicies
has-specific-managed-policy¶
Find IAM roles that have a specific policy attached
- example:
Check for roles with ‘admin-policy’ attached:
policies:
- name: iam-roles-have-admin
resource: aws.iam-role
filters:
- type: has-specific-managed-policy
value: admin-policy
- example:
Check for roles with an attached policy matching a given list:
policies:
- name: iam-roles-with-selected-policies
resource: aws.iam-role
filters:
- type: has-specific-managed-policy
op: in
value:
- AmazonS3FullAccess
- AWSOrganizationsFullAccess
- example:
Check for roles with attached policy names matching a pattern:
policies:
- name: iam-roles-with-full-access-policies
resource: aws.iam-role
filters:
- type: has-specific-managed-policy
op: glob
value: "*FullAccess"
Check for roles with attached policy ARNs matching a pattern:
policies:
- name: iam-roles-with-aws-full-access-policies
resource: aws.iam-role
filters:
- type: has-specific-managed-policy
key: PolicyArn
op: regex
value: "arn:aws:iam::aws:policy/.*FullAccess"
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- has-specific-managed-policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:ListAttachedRolePolicies
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
no-specific-managed-policy¶
Filter IAM roles that do not have a specific policy attached
For example, if the user wants to check all roles without ‘ip-restriction’:
- example:
policies:
- name: iam-roles-no-ip-restriction
resource: iam-role
filters:
- type: no-specific-managed-policy
value: ip-restriction
properties:
type:
enum:
- no-specific-managed-policy
value:
type: string
required:
- type
Permissions - iam:ListAttachedRolePolicies
unused¶
Filter IAM roles that are either being used or not
This filter has been deprecated. Please use the ‘used’ filter with the ‘state’ attribute to get unused iam roles
Checks for usage on EC2, Lambda, ECS only
- example:
policies:
- name: iam-roles-not-in-use
resource: iam-role
filters:
- type: used
state: false
properties:
type:
enum:
- unused
required:
- type
Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices
used¶
Filter IAM roles that are either being used or not
Checks for usage on EC2, Lambda, ECS only
- example:
policies:
- name: iam-role-in-use
resource: iam-role
filters:
- type: used
state: true
properties:
state:
type: boolean
type:
enum:
- used
required:
- type
Permissions - lambda:ListFunctions, tag:GetResources, lambda:ListTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags, ecs:DescribeClusters, ecs:DescribeServices
Actions¶
delete¶
Delete an IAM Role.
To delete IAM Role you must first delete the policies that are associated with the role. Also, you need to remove the role from all instance profiles that the role is in.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html
For this case option ‘force’ is used. If you set it as ‘true’, policies that are associated with the role would be detached (inline policies would be removed) and all instance profiles the role is in would be removed as well as the role.
For example, if you want to automatically delete an unused IAM role.
- example:
- name: iam-delete-unused-role resource: iam-role filters: - type: usage match-operator: all LastAuthenticated: null actions: - type: delete force: true
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - iam:DeleteRole, iam:DeleteInstanceProfile
set-boundary¶
Set IAM Permission boundary on an IAM Role or User.
A role or user can only have a single permission boundary set.
properties:
policy:
type: string
state:
enum:
- present
- absent
type:
enum:
- set-boundary
required:
- type
Permissions - iam:PutRolePermissionsBoundary
set-policy¶
Set a specific IAM policy as attached or detached on a role.
You will identify the policy by its arn.
Returns a list of roles modified by the action.
For example, if you want to automatically attach a policy to all roles which don’t have it…
- example:
- name: iam-attach-role-policy resource: iam-role filters: - type: no-specific-managed-policy value: my-iam-policy actions: - type: set-policy state: detached arn: "*" - type: set-policy state: attached arn: arn:aws:iam::123456789012:policy/my-iam-policy
properties:
arn:
type: string
state:
enum:
- attached
- detached
type:
enum:
- set-policy
required:
- state
- arn
- type
Permissions - iam:AttachRolePolicy, iam:DetachRolePolicy, iam:ListAttachedRolePolicies