aws.iam resources¶
aws.iam-certificate¶
aws.iam-group¶
Filters¶
has-inline-policy¶
Filter IAM groups that have an inline-policy based on boolean value: True: Filter all groups that have an inline-policy attached False: Filter all groups that do not have an inline-policy attached
- example
- name: iam-groups-with-inline-policy
resource: iam-group
filters:
- type: has-inline-policy
value: True
properties:
type:
enum:
- has-inline-policy
value:
type: boolean
required:
- type
has-users¶
Filter IAM groups that have users attached based on True/False value: True: Filter all IAM groups with users assigned to it False: Filter all IAM groups without any users assigned to it
- example
- name: empty-iam-group
resource: iam-group
filters:
- type: has-users
value: False
properties:
type:
enum:
- has-users
value:
type: boolean
required:
- type
aws.iam-policy¶
Filters¶
has-allow-all¶
Check if IAM policy resource(s) have allow-all IAM policy statement block.
This allows users to implement CIS AWS check 1.24 which states that no policy must exist with the following requirements.
Policy must have ‘Action’ and Resource = ‘*’ with ‘Effect’ = ‘Allow’
The policy will trigger on the following IAM policy (statement). For example:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}]
}
Additionally, the policy checks if the statement has no ‘Condition’ or ‘NotAction’.
For example, if the user wants to check all used policies and filter on allow all:
- name: iam-no-used-all-all-policy
resource: iam-policy
filters:
- type: used
- type: has-allow-all
Note that scanning and getting all policies and all statements can take a while. Use it sparingly or combine it with filters such as ‘used’ as above.
properties:
type:
enum:
- has-allow-all
required:
- type
unused¶
Filter IAM policies that are not being used
- example
policies:
- name: iam-policy-unused
resource: iam-policy
filters:
- type: unused
properties:
type:
enum:
- unused
required:
- type
used¶
Filter IAM policies that are being used
- example
policies:
- name: iam-policy-used
resource: iam-policy
filters:
- type: used
properties:
type:
enum:
- used
required:
- type
aws.iam-profile¶
Filters¶
unused¶
Filter IAM profiles that are not being used
- example
policies:
- name: iam-instance-profiles-not-in-use
resource: iam-profile
filters:
- type: unused
properties:
type:
enum:
- unused
required:
- type
used¶
Filter IAM profiles that are being used.
- example
policies:
- name: iam-instance-profiles-in-use
resource: iam-profile
filters:
- type: used
properties:
type:
enum:
- used
required:
- type
aws.iam-role¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
has-inline-policy¶
Filter IAM roles that have an inline-policy attached True: Filter roles that have an inline-policy False: Filter roles that do not have an inline-policy
- example
policies:
- name: iam-roles-with-inline-policies
resource: iam-role
filters:
- type: has-inline-policy
value: True
properties:
type:
enum:
- has-inline-policy
value:
type: boolean
required:
- type
has-specific-managed-policy¶
Filter IAM roles that has a specific policy attached
For example, if the user wants to check all roles with ‘admin-policy’:
- example
policies:
- name: iam-roles-have-admin
resource: iam-role
filters:
- type: has-specific-managed-policy
value: admin-policy
properties:
type:
enum:
- has-specific-managed-policy
value:
type: string
required:
- type
no-specific-managed-policy¶
Filter IAM roles that do not have a specific policy attached
For example, if the user wants to check all roles without ‘ip-restriction’:
- example
policies:
- name: iam-roles-no-ip-restriction
resource: iam-role
filters:
- type: no-specific-managed-policy
value: ip-restriction
properties:
type:
enum:
- no-specific-managed-policy
value:
type: string
required:
- type
unused¶
Filter IAM roles that are either being used or not
This filter has been deprecated. Please use the ‘used’ filter with the ‘state’ attribute to get unused iam roles
Checks for usage on EC2, Lambda, ECS only
- example
policies:
- name: iam-roles-not-in-use
resource: iam-role
filters:
- type: used
state: false
properties:
type:
enum:
- unused
required:
- type
used¶
Filter IAM roles that are either being used or not
Checks for usage on EC2, Lambda, ECS only
- example
policies:
- name: iam-role-in-use
resource: iam-role
filters:
- type: used
state: true
properties:
state:
type: boolean
type:
enum:
- used
required:
- type
Actions¶
delete¶
Delete an IAM Role.
For example, if you want to automatically delete an unused IAM role.
- example
- name: iam-delete-unused-role resource: iam-role filters: - type: usage match-operator: all LastAuthenticated: null actions: - delete
properties:
type:
enum:
- delete
required:
- type
set-policy¶
Set a specific IAM policy as attached or detached on a role.
You will identify the policy by its arn.
Returns a list of roles modified by the action.
For example, if you want to automatically attach a policy to all roles which don’t have it…
- example
- name: iam-attach-role-policy resource: iam-role filters: - type: no-specific-managed-policy value: my-iam-policy actions: - type: set-policy state: attached arn: arn:aws:iam::123456789012:policy/my-iam-policy
properties:
arn:
type: string
state:
enum:
- attached
- detached
type:
enum:
- set-policy
required:
- state
- arn
- type
aws.iam-user¶
Filters¶
access-key¶
Filter IAM users based on access-key values
- example
policies:
- name: iam-users-with-active-keys
resource: iam-user
filters:
- type: access-key
key: Status
value: Active
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- access-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
credential¶
Use IAM Credential report to filter users.
The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month
- name: iam-mfa-active-keys-no-login
resource: iam-user
filters:
- type: credential
key: mfa_active
value: true
- type: credential
key: password_last_used
value: absent
- type: credential
key: access_keys.last_used
value_type: age
value: 30
op: less-than
Credential Report Transforms
We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.
properties:
key:
enum:
- user
- arn
- user_creation_time
- password_enabled
- password_last_used
- password_last_changed
- password_next_rotation
- mfa_active
- access_keys
- access_keys.active
- access_keys.last_used_date
- access_keys.last_used_region
- access_keys.last_used_service
- access_keys.last_rotated
- certs
- certs.active
- certs.last_rotated
title: report key to search
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
report_delay:
default: 10
title: Number of seconds to wait for report generation.
type: number
report_generate:
default: true
title: Generate a report if none is present.
type: boolean
report_max_age:
default: 86400
title: Number of seconds to consider a report valid.
type: number
type:
enum:
- credential
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
group¶
Filter IAM users based on attached group values
- example
policies:
- name: iam-users-in-admin-group
resource: iam-user
filters:
- type: group
key: GroupName
value: Admins
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
has-inline-policy¶
Filter IAM users that have an inline-policy attached
True: Filter users that have an inline-policy False: Filter users that do not have an inline-policy
properties:
type:
enum:
- has-inline-policy
value:
type: boolean
required:
- type
mfa-device¶
Filter iam-users based on mfa-device status
- example
policies:
- name: mfa-enabled-users
resource: iam-user
filters:
- type: mfa-device
key: UserName
value: not-null
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- mfa-device
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
policy¶
Filter IAM users based on attached policy values
- example
policies:
- name: iam-users-with-admin-access
resource: iam-user
filters:
- type: policy
key: PolicyName
value: AdministratorAccess
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Actions¶
delete¶
Delete a user or properties of a user.
For example if you want to have a whitelist of valid (machine-)users and want to ensure that no users have been clicked without documentation.
You can use both the ‘credential’ or the ‘username’ filter. ‘credential’ will have an SLA of 4h, (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html), but the added benefit of performing less API calls, whereas ‘username’ will make more API calls, but have a SLA of your cache.
- example
# using a 'credential' filter' - name: iam-only-whitelisted-users resource: iam-user filters: - type: credential key: user op: not-in value: - valid-user-1 - valid-user-2 actions: - delete # using a 'username' filter with 'UserName' - name: iam-only-whitelisted-users resource: iam-user filters: - type: value key: UserName op: not-in value: - valid-user-1 - valid-user-2 actions: - delete # using a 'username' filter with 'Arn' - name: iam-only-whitelisted-users resource: iam-user filters: - type: value key: Arn op: not-in value: - arn:aws:iam:123456789012:user/valid-user-1 - arn:aws:iam:123456789012:user/valid-user-2 actions: - delete
Additionally, you can specify the options to delete properties of an iam-user, including console-access, access-keys, attached-user-policies, inline-user-policies, mfa-devices, groups, ssh-keys, signing-certificates, and service-specific-credentials.
Note: using options will _not_ delete the user itself, only the items specified
by options that are attached to the respective iam-user. To delete a user
completely, use the delete action without specifying options.
- example
- name: delete-console-access-unless-valid comment: | finds iam-users with console access and deletes console access unless the username is included in whitelist resource: iam-user filters: - type: username key: UserName op: not-in value: - valid-user-1 - valid-user-2 - type: credential key: Status value: Active actions: - type: delete options: - console-access - name: delete-misc-access-for-iam-user comment: | deletes multiple options from test_user resource: iam-user filters: - UserName: test_user actions: - type: delete options: - mfa-devices - access-keys - ssh-keys
properties:
options:
items:
enum:
- console-access
- access-keys
- attached-user-policies
- inline-user-policies
- mfa-devices
- groups
- ssh-keys
- signing-certificates
- service-specific-credentials
- user-policies
type: string
type: array
type:
enum:
- delete
required:
- type
remove-keys¶
Delete or disable user’s access keys.
For example if we wanted to disable keys after 90 days of non-use and delete them after 180 days of nonuse:
- example
- name: iam-mfa-active-key-no-login resource: iam-user actions: - type: remove-keys disable: true age: 90 - type: remove-keys age: 180
properties:
age:
type: number
disable:
type: boolean
matched:
type: boolean
type:
enum:
- remove-keys
required:
- type