turbot/aws_compliance

Query: iam_user_group_role_cloudshell_fullaccess_restricted

Usage

powerpipe query aws_compliance.query.iam_user_group_role_cloudshell_fullaccess_restricted

SQL

select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.'
else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_user
union
select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.'
else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_role
union
select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.'
else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_group;

Controls

The query is being used by the following controls: