aws.iam-role

Filters

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

has-inline-policy

Filter IAM roles that have an inline-policy attached True: Filter roles that have an inline-policy False: Filter roles that do not have an inline-policy

example

policies:
  - name: iam-roles-with-inline-policies
    resource: iam-role
    filters:
      - type: has-inline-policy
        value: True
properties:
  type:
    enum:
    - has-inline-policy
  value:
    type: boolean
required:
- type

has-specific-managed-policy

Filter IAM roles that has a specific policy attached

For example, if the user wants to check all roles with ‘admin-policy’:

example

policies:
  - name: iam-roles-have-admin
    resource: iam-role
    filters:
      - type: has-specific-managed-policy
        value: admin-policy
properties:
  type:
    enum:
    - has-specific-managed-policy
  value:
    type: string
required:
- type

no-specific-managed-policy

Filter IAM roles that do not have a specific policy attached

For example, if the user wants to check all roles without ‘ip-restriction’:

example

policies:
  - name: iam-roles-no-ip-restriction
    resource: iam-role
    filters:
      - type: no-specific-managed-policy
        value: ip-restriction
properties:
  type:
    enum:
    - no-specific-managed-policy
  value:
    type: string
required:
- type

unused

Filter IAM roles that are either being used or not

This filter has been deprecated. Please use the ‘used’ filter with the ‘state’ attribute to get unused iam roles

Checks for usage on EC2, Lambda, ECS only

example

policies:
  - name: iam-roles-not-in-use
    resource: iam-role
    filters:
      - type: used
        state: false
properties:
  type:
    enum:
    - unused
required:
- type

used

Filter IAM roles that are either being used or not

Checks for usage on EC2, Lambda, ECS only

example

policies:
  - name: iam-role-in-use
    resource: iam-role
    filters:
      - type: used
        state: true
properties:
  state:
    type: boolean
  type:
    enum:
    - used
required:
- type

Actions

delete

Delete an IAM Role.

For example, if you want to automatically delete an unused IAM role.

example
- name: iam-delete-unused-role
  resource: iam-role
  filters:
    - type: usage
      match-operator: all
      LastAuthenticated: null
  actions:
    - type: delete
      force: true
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

set-policy

Set a specific IAM policy as attached or detached on a role.

You will identify the policy by its arn.

Returns a list of roles modified by the action.

For example, if you want to automatically attach a policy to all roles which don’t have it…

example
- name: iam-attach-role-policy
  resource: iam-role
  filters:
    - type: no-specific-managed-policy
      value: my-iam-policy
  actions:
    - type: set-policy
      state: detached
      arn: "*"
    - type: set-policy
      state: attached
      arn: arn:aws:iam::123456789012:policy/my-iam-policy
properties:
  arn:
    type: string
  state:
    enum:
    - attached
    - detached
  type:
    enum:
    - set-policy
required:
- state
- arn
- type