Control: EC2 instance IAM role should not allow management level access

powerpipe control run aws_compliance.control.ec2_instance_no_iam_role_with_management_level_access

powerpipe login
powerpipe control run aws_compliance.control.ec2_instance_no_iam_role_with_management_level_access --share

with iam_roles as (
  select
    r.arn as role_arn,
    i.arn as intance_arn
  from
    aws_iam_role as r,
    jsonb_array_elements_text(instance_profile_arns) as p
    left join aws_ec2_instance as i on p = i.iam_instance_profile_arn
  where
    i.arn is not null
), iam_role_with_permission as (
  select
    arn
  from
    aws_iam_role,
    jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,
    jsonb_array_elements_text(s -> 'Action') as action
  where
    arn in (select role_arn from iam_roles)
    and  s ->> 'Effect' = 'Allow'
    and service = 'ec2.amazonaws.com'
    and (
      (action in ('iam:attachgrouppolicy', 'iam:attachrolepolicy', 'iam:attachuserpolicy', 'iam:createpolicy', 'iam:createpolicyversion', 'iam:deleteaccountpasswordpolicy', 'iam:deletegrouppolicy', 'iam:deletepolicy', 'iam:deletepolicyversion', 'iam:deleterolepermissionsboundary', 'iam:deleterolepolicy', 'iam:deleteuserpermissionsboundary', 'iam:deleteuserpolicy', 'iam:detachgrouppolicy', 'iam:detachrolepolicy', 'iam:detachuserpolicy', 'iam:putgrouppolicy', 'iam:putrolepermissionsboundary', 'iam:putrolepolicy', 'iam:putuserpermissionsboundary', 'iam:putuserpolicy','iam:setdefaultpolicyversion','iam:updateassumerolerolicy', '*:*')
      )
    )
)
select
  i.arn as resource,
  case
    when p.arn is null then 'ok'
    else 'alarm'
  end status,
  case
    when p.arn is null then title || ' has no management level access.'
    else title || ' has management level access.'
  end as reason
  
  , i.account_id
from
  aws_ec2_instance as i
  left join iam_roles as r on r.intance_arn = i.arn
  left join iam_role_with_permission as p on p.arn = r.role_arn;