A Config rule that that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached.

This config rule supports the following parameters:

  • policyArns
    • Required: Yes
    • Type: CSV
    • Description:Comma separated list of IAM policy arns which should not be attached to any IAM entity.
    • Default Value: arn:aws:iam::aws:policy/AdministratorAccess
  • exceptionList
    • Required: No
    • Type: CSV
    • Description:Comma separated list of resourcetypes and list of resource name pairs. (for example, users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3]).

ConfigRule
AWS::Config::ConfigRule


Scope

ComplianceResourceTypes

Source *
CustomPolicyDetails
SourceDetails

CloudFormation Template

Share Template