Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
By Implementation
By Service Protected
Reference Guides
Other
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
Configuration Stack0
By Service Protected
By Implementation
Service Control Policies
Config Rules
Auto Remediation Rules
Conformance Packs
Amazon GuardDuty
Amazon Inspector
AWS Security Hub
AWS Network Firewall
Route53 Resolver Security
Amazon Macie
S3 Bucket Policies
CloudWatch Alarms and Event Rules
AWS WAF
AWS Secrets Manager
AWS Systems Manager
Security Groups & NACLs
AWS KMS
AWS SSO
IAM Policies
VPC Endpoint Policies
CloudFormation Guard Rules
Load Balancers
RDS Event Subscriptions
AWS Resource Access Manager (RAM)Reference Guides
Other
CloudFormation Guard Rules
Cloudformation Guard Rules for AWS IAM
CloudFormation guard rules template for IAM resources
The following rules are included:
IAM Policies:
- No Full Admin Access (*:*)
- No Unrestricted STS AssumeRole Access
- No Unrestricted IAM PassRole Access
- No Unrestricted Full S3 Access
- No Unrestricted Sensitive IAM Access
- No Unrestricted Read S3 Access
- No Unrestricted Lambda Invoke Access
- No Unrestricted Secrets Manager Full Access
IAM Roles/Users/Groups:
- No IAM Roles with Public Trust Policy
- No IAM Policies Directly Attached to IAM Users
- No Inline IAM Policies (Users and Groups)
CloudFormation Validation Tool: Syntax and Security validation for your templates online
let iam_groups = Resources.*[
Type == "AWS::IAM::Group"
]
let iam_roles = Resources.*[
Type == "AWS::IAM::Role"
]
let iam_users = Resources.*[
Type == "AWS::IAM::User"
]
let iam_policies = Resources.*[
Type == "AWS::IAM::Policy"
]
let iam_managedpolicies = Resources.*[
Type == "AWS::IAM::ManagedPolicy"
]
rule iam_policy_full_admin when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM policy found that allows full administrator permissions '*:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows full administrator permissions '*:*>>
}
}
}
}
}
rule iam_policy_sts_assume when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
rule iam_policy_iam_passrole when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted iam:PassRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted iam:PassRole>>
}
}
}
}
}
rule iam_policy_s3_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted s3:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted s3:*>>
}
}
}
}
}
rule iam_policy_iam_sensitive when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM policy found that allows access to sensitive IAM actions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM managed policy found that allows access to sensitive IAM actions>>
}
}
}
}
}
rule iam_policy_s3_readallaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
rule iam_policy_lambda_invoke_all when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
rule iam_policy_secretsmanager_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
rule iam_role_assume_public when %iam_roles !empty {
%iam_roles {
Properties {
AssumeRolePolicyDocument {
Statement.*[
Effect == "Allow"
Principal == "*" OR some Principal.AWS[*] == "*"
] empty <<IAM Role can be assumed publicly>>
}
}
}
}
rule iam_user_attached_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_users !empty {
%iam_users {
Properties {
ManagedPolicyArns !exists <<ManagedPolicyArns found with IAM user>>
Policies !exists <<Policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Users !exists <<IAM user found with policy>>
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
Users !exists <<IAM user found with managed policy>>
}
}
}
}
rule iam_group_user_role_no_inline_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
Policies !exists <<Inline policies found with IAM Group>>
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
Policies !exists <<Inline policies found with IAM Role>>
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
Policies !exists <<Inline policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Groups !exists <<IAM Groups found with inline policy>>
Roles !exists <<IAM Roles found with inline policy>>
Users !exists <<IAM Users found with inline policy>>
}
}
}
}
Actions
Customize Template
* Required field
Upgrade to Premium for More Features
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
- 350+ security checks
- Well-architected reviews
- Detailed compliance reports
- Remediation templates
- Email summaries
- Learn more