Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

CloudFormation Guard Rules

Cloudformation Guard Rules for AWS IAM

CloudFormation guard rules template for IAM resources

The following rules are included: 

IAM Policies:

  • No Full Admin Access (*:*)
  • No Unrestricted STS AssumeRole Access
  • No Unrestricted IAM PassRole Access
  • No Unrestricted Full S3 Access
  • No Unrestricted Sensitive IAM Access
  • No Unrestricted Read S3 Access
  • No Unrestricted Lambda Invoke Access
  • No Unrestricted Secrets Manager Full Access

IAM Roles/Users/Groups:

  • No IAM Roles with Public Trust Policy
  • No IAM Policies Directly Attached to IAM Users
  • No Inline IAM Policies (Users and Groups)
CloudFormation Validation Tool: Syntax and Security validation for your templates online

let iam_groups = Resources.*[
	Type == "AWS::IAM::Group"
]

let iam_roles = Resources.*[
	Type == "AWS::IAM::Role"
]

let iam_users = Resources.*[
	Type == "AWS::IAM::User"
]

let iam_policies = Resources.*[
	Type == "AWS::IAM::Policy"
]

let iam_managedpolicies = Resources.*[
	Type == "AWS::IAM::ManagedPolicy"
]

rule iam_policy_full_admin when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "*"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows full administrator permissions '*:*>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "*"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows full administrator permissions '*:*>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "*"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows full administrator permissions '*:*>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "*"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows full administrator permissions '*:*>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "*"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows full administrator permissions '*:*>>
				}
			}
		}
	}
}

rule iam_policy_sts_assume when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "sts:AssumeRole"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted sts:AssumeRole>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "sts:AssumeRole"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted sts:AssumeRole>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "sts:AssumeRole"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted sts:AssumeRole>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "sts:AssumeRole"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted sts:AssumeRole>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "sts:AssumeRole"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted sts:AssumeRole>>
				}
			}
		}
	}
}

rule iam_policy_iam_passrole when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "iam:PassRole"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted iam:PassRole>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "iam:PassRole"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted iam:PassRole>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "iam:PassRole"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted iam:PassRole>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "iam:PassRole"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted iam:PassRole>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "iam:PassRole"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted iam:PassRole>>
				}
			}
		}
	}
}

rule iam_policy_s3_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:*"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted s3:*>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:*"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted s3:*>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:*"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted s3:*>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "s3:*"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted s3:*>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "s3:*"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted s3:*>>
				}
			}
		}
	}
}

rule iam_policy_iam_sensitive when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows access to sensitive IAM actions>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows access to sensitive IAM actions>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows access to sensitive IAM actions>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
						some Resource[*] == "*"
					] empty <<IAM policy found that allows access to sensitive IAM actions>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows access to sensitive IAM actions>>
				}
			}
		}
	}
}

rule iam_policy_s3_readallaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:GetObject"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted S3 GetObject access to all buckets>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:GetObject"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted S3 GetObject access to all buckets>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "s3:GetObject"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted S3 GetObject access to all buckets>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "s3:GetObject"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted S3 GetObject access to all buckets>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "s3:GetObject"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted S3 GetObject access to all buckets>>
				}
			}
		}
	}
}

rule iam_policy_lambda_invoke_all when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "lambda:InvokeFunction"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "lambda:InvokeFunction"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "lambda:InvokeFunction"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "lambda:InvokeFunction"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted Lambda Invoke Function to all functions>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "lambda:InvokeFunction"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted Lambda Invoke Function to all functions>>
				}
			}
		}
	}
}

rule iam_policy_secretsmanager_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "secretsmanager:GetSecretValue"
								some Resource[*] == "*"
							] empty <<IAM group were found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
						}
					}
				}
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "secretsmanager:GetSecretValue"
								some Resource[*] == "*"
							] empty <<IAM role found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
						}
					}
				}
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				when Policies exists {
					Policies.* {
						PolicyDocument {
							Statement.*[
								Effect == "Allow"
								some Action[*] == "secretsmanager:GetSecretValue"
								some Resource[*] == "*"
							] empty <<IAM user found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
						}
					}
				}
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "secretsmanager:GetSecretValue"
						some Resource[*] == "*"
					] empty <<IAM policy found that allows unrestricted secretsmanager:GetSecretValue>>
				}
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				PolicyDocument {
					Statement.*[
						Effect == "Allow"
						some Action[*] == "secretsmanager:GetSecretValue"
						some Resource[*] == "*"
					] empty <<IAM managed policy found that allows unrestricted secretsmanager:GetSecretValue>>
				}
			}
		}
	}
}

rule iam_role_assume_public when %iam_roles !empty {
	%iam_roles {
		Properties {
			AssumeRolePolicyDocument {
				Statement.*[
					Effect == "Allow"
					Principal == "*" OR some Principal.AWS[*] == "*"
				] empty <<IAM Role can be assumed publicly>>
			}
		}
	}
}

rule iam_user_attached_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_users !empty {
		%iam_users {
			Properties {
				ManagedPolicyArns !exists <<ManagedPolicyArns found with IAM user>>
				Policies !exists <<Policies found with IAM user>>
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				Users !exists <<IAM user found with policy>>
			}
		}
	}

	when %iam_managedpolicies !empty {
		%iam_managedpolicies {
			Properties {
				Users !exists <<IAM user found with managed policy>>
			}
		}
	}
}

rule iam_group_user_role_no_inline_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
	when %iam_groups !empty {
		%iam_groups {
			Properties {
				Policies !exists <<Inline policies found with IAM Group>>
			}
		}
	}
	
	when %iam_roles !empty {
		%iam_roles {
			Properties {
				Policies !exists <<Inline policies found with IAM Role>>
			}
		}
	}

	when %iam_users !empty {
		%iam_users {
			Properties {
				Policies !exists <<Inline policies found with IAM user>>
			}
		}
	}

	when %iam_policies !empty {
		%iam_policies {
			Properties {
				Groups !exists <<IAM Groups found with inline policy>>
				Roles !exists <<IAM Roles found with inline policy>>
				Users !exists <<IAM Users found with inline policy>>
			}
		}
	}
}


Actions



Customize Template

* Required field

Upgrade to Premium for More Features
Sign up

Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
  • 350+ security checks
  • Well-architected reviews
  • Detailed compliance reports
  • Remediation templates
  • Email summaries
  • Learn more