You must be logged in to view saved presets
Cloudformation Guard Rules for AWS IAM
CloudFormation guard rules template for IAM resources
The following rules are included:
IAM Policies:
- No Full Admin Access (*:*)
- No Unrestricted STS AssumeRole Access
- No Unrestricted IAM PassRole Access
- No Unrestricted Full S3 Access
- No Unrestricted Sensitive IAM Access
- No Unrestricted Read S3 Access
- No Unrestricted Lambda Invoke Access
- No Unrestricted Secrets Manager Full Access
IAM Roles/Users/Groups:
- No IAM Roles with Public Trust Policy
- No IAM Policies Directly Attached to IAM Users
- No Inline IAM Policies (Users and Groups)
let iam_groups = Resources.*[
Type == "AWS::IAM::Group"
]
let iam_roles = Resources.*[
Type == "AWS::IAM::Role"
]
let iam_users = Resources.*[
Type == "AWS::IAM::User"
]
let iam_policies = Resources.*[
Type == "AWS::IAM::Policy"
]
let iam_managedpolicies = Resources.*[
Type == "AWS::IAM::ManagedPolicy"
]
rule iam_policy_full_admin when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows full administrator permissions '*:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM policy found that allows full administrator permissions '*:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows full administrator permissions '*:*>>
}
}
}
}
}
rule iam_policy_sts_assume when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "sts:AssumeRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted sts:AssumeRole>>
}
}
}
}
}
rule iam_policy_iam_passrole when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted iam:PassRole>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted iam:PassRole>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "iam:PassRole"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted iam:PassRole>>
}
}
}
}
}
rule iam_policy_s3_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted s3:*>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted s3:*>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:*"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted s3:*>>
}
}
}
}
}
rule iam_policy_iam_sensitive when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows access to sensitive IAM actions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM policy found that allows access to sensitive IAM actions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] IN ["iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:AddUserToGroup"]
some Resource[*] == "*"
] empty <<IAM managed policy found that allows access to sensitive IAM actions>>
}
}
}
}
}
rule iam_policy_s3_readallaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "s3:GetObject"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted S3 GetObject access to all buckets>>
}
}
}
}
}
rule iam_policy_lambda_invoke_all when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "lambda:InvokeFunction"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted Lambda Invoke Function to all functions>>
}
}
}
}
}
rule iam_policy_secretsmanager_allaccess when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM group were found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM role found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
when Policies exists {
Policies.* {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM user found with a policy that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
PolicyDocument {
Statement.*[
Effect == "Allow"
some Action[*] == "secretsmanager:GetSecretValue"
some Resource[*] == "*"
] empty <<IAM managed policy found that allows unrestricted secretsmanager:GetSecretValue>>
}
}
}
}
}
rule iam_role_assume_public when %iam_roles !empty {
%iam_roles {
Properties {
AssumeRolePolicyDocument {
Statement.*[
Effect == "Allow"
Principal == "*" OR some Principal.AWS[*] == "*"
] empty <<IAM Role can be assumed publicly>>
}
}
}
}
rule iam_user_attached_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_users !empty {
%iam_users {
Properties {
ManagedPolicyArns !exists <<ManagedPolicyArns found with IAM user>>
Policies !exists <<Policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Users !exists <<IAM user found with policy>>
}
}
}
when %iam_managedpolicies !empty {
%iam_managedpolicies {
Properties {
Users !exists <<IAM user found with managed policy>>
}
}
}
}
rule iam_group_user_role_no_inline_policies when %iam_groups !empty OR %iam_roles !empty OR %iam_users !empty OR %iam_policies !empty OR %iam_managedpolicies !empty{
when %iam_groups !empty {
%iam_groups {
Properties {
Policies !exists <<Inline policies found with IAM Group>>
}
}
}
when %iam_roles !empty {
%iam_roles {
Properties {
Policies !exists <<Inline policies found with IAM Role>>
}
}
}
when %iam_users !empty {
%iam_users {
Properties {
Policies !exists <<Inline policies found with IAM user>>
}
}
}
when %iam_policies !empty {
%iam_policies {
Properties {
Groups !exists <<IAM Groups found with inline policy>>
Roles !exists <<IAM Roles found with inline policy>>
Users !exists <<IAM Users found with inline policy>>
}
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.