Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
CloudFormation guard rules template for IAM resources
The following rules are included:
IAM Policies:
IAM Roles/Users/Groups:
let iam_groups = Resources.*[
Type == "AWS::IAM::Group"
]
let iam_roles = Resources.*[
Type == "AWS::IAM::Role"
]
let iam_users = Resources.*[
Type == "AWS::IAM::User"
]
let iam_policies = Resources.*[
Type == "AWS::IAM::Policy"
]
let iam_managedpolicies = Resources.*[
Type == "AWS::IAM::ManagedPolicy"
]
rule iam_policy_full_admin when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM policy found that allows full administrator permissions '*:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows full administrator permissions '*:*>>
}
}
}
}
}
rule iam_policy_sts_assume when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
rule iam_policy_iam_passrole when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted iam:PassRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted iam:PassRole>>
}
}
}
}
}
rule iam_policy_s3_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted s3:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted s3:*>>
}
}
}
}
}
rule iam_policy_iam_sensitive when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM policy found that allows access to sensitive IAM actions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM managed policy found that allows access to sensitive IAM actions>>
}
}
}
}
}
rule iam_policy_s3_readallaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
rule iam_policy_lambda_invoke_all when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
rule iam_policy_secretsmanager_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
rule iam_role_assume_public when %iam_roles !empty {
%iam_roles {
Properties {
AssumeRolePolicyDocument {
Statement.*[
Effect == "Allow"
Principal == "*" OR some Principal.AWS[*] == "*"
] empty <<IAM Role can be assumed publicly>>
}
}
}
}
rule iam_user_attached_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_users !empty {
%iam_users {
Properties {
ManagedPolicyArns !exists <<ManagedPolicyArns found with IAM user>>
Policies !exists <<Policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Users !exists <<IAM user found with policy>>
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
Users !exists <<IAM user found with managed policy>>
}
}
}
}
rule iam_group_user_role_no_inline_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
Policies !exists <<Inline policies found with IAM Group>>
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
Policies !exists <<Inline policies found with IAM Role>>
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
Policies !exists <<Inline policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Groups !exists <<IAM Groups found with inline policy>>
Roles !exists <<IAM Roles found with inline policy>>
Users !exists <<IAM Users found with inline policy>>
}
}
}
}