turbot/aws_compliance

Query: ec2_instance_no_iam_role_attached_with_credentials_exposure_access

Usage

powerpipe query aws_compliance.query.ec2_instance_no_iam_role_attached_with_credentials_exposure_access

SQL

with iam_roles as (
select
r.arn as role_arn,
i.arn as intance_arn
from
aws_iam_role as r,
jsonb_array_elements_text(instance_profile_arns) as p
left join aws_ec2_instance as i on p = i.iam_instance_profile_arn
where
i.arn is not null
), iam_role_with_permission as (
select
arn
from
aws_iam_role,
jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,
jsonb_array_elements_text(s -> 'Action') as action
where
arn in (select role_arn from iam_roles)
and s ->> 'Effect' = 'Allow'
and service = 'ec2.amazonaws.com'
and action in (
'chime:createapikey', 'codepipeline:pollforjobs', 'cognito-identity:getopenidtoken', 'cognito-identity:getopenidtokenfordeveloperidentity', 'cognito-identity:getcredentialsforidentity', 'connect:getfederationtoken', 'connect:getfederationtokens', 'ec2:getpassworddata', 'ecr:getauthorizationtoken', 'gamelift:requestuploadcredentials', 'iam:createaccesskey', 'iam:createloginprofile', 'iam:createservicespecificcredential', 'iam:resetservicespecificcredential', 'iam:updateaccesskey', 'lightsail:getinstanceaccessdetails', 'lightsail:getrelationaldatabasemasteruserpassword', 'rds-db:connect', 'redshift:getclustercredentials', 'sso:getrolecredentials', 'mediapackage:rotatechannelcredentials', 'mediapackage:rotateingestendpointcredentials', 'sts:assumerole', 'sts:assumerolewithsaml', 'sts:assumerolewithwebidentity', 'sts:getfederationtoken', 'sts:getsessiontoken','*:*'
)
)
select
i.arn as resource,
case
when p.arn is null then 'ok'
else 'alarm'
end status,
case
when p.arn is null then title || ' has no IAM role attached with credentials exposure permissions.'
else title || ' has IAM role attached with credentials exposure permissions.'
end as reason
, i.account_id
from
aws_ec2_instance as i
left join iam_roles as r on r.intance_arn = i.arn
left join iam_role_with_permission as p on p.arn = r.role_arn;

Controls

The query is being used by the following controls: