standard
turbot/aws_compliance

Trigger: Detect & correct IAM users attached with *:* policy

Detects IAM users attached with the policy *:* and then detaches the policy.

Query

with star_star_policy as (
select
arn,
count(*) as num_bad_statements
from
aws_iam_policy,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Resource') as resource,
jsonb_array_elements_text(s -> 'Action') as action
where
s ->> 'Effect' = 'Allow'
and resource = '*'
and (
(
action = '*'
or action = '*:*'
)
)
and is_attached
and not is_aws_managed
group by
arn,
is_aws_managed
)
select
distinct concat(
name,
'-',
attached_arns.policy_arn,
' [',
account_id,
']'
) as title,
attached_arns.policy_arn,
name as user_name,
account_id,
sp_connection_name as conn
from
aws_iam_user,
lateral jsonb_array_elements_text(attached_policy_arns) as attached_arns(policy_arn)
join star_star_policy s on s.arn = attached_arns.policy_arn;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM