standard
turbot/aws_compliance

Trigger: Detect & correct IAM accounts without support role

Detects IAM accounts without support role and then create a new support role.

Query

with support_role_count as (
select
'arn:' || a.partition || ':::' || a.account_id as resource,
count(policy_arn),
a.account_id,
a.sp_connection_name
from
aws_account as a
left join aws_iam_role as r on r.account_id = a.account_id
left join jsonb_array_elements_text(attached_policy_arns) as policy_arn on true
where
split_part(policy_arn, '/', 2) = 'AWSSupportAccess'
or policy_arn is null
group by
a.account_id,
a.partition,
a.sp_connection_name
)
select
account_id as title,
account_id,
sp_connection_name as conn
from
support_role_count
where
count = 0;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM