standard
turbot/aws_compliance

Trigger: Detect & correct IAM users with unrestricted CloudShellFullAccess policy

Detects IAM users with unrestricted CloudShellFullAccess policy attached and then detaches that policy.

Query

select
concat(name, ' [', account_id, ']') as title,
name as user_name,
account_id,
sp_connection_name as conn
from
aws_iam_user
where
attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]'

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/IAM