Control: IAM unattached custom policy should not have statements with admin access
Description
AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_custom_policy_unattached_no_star_starSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_custom_policy_unattached_no_star_star --shareSQL
This control uses a named query:
with bad_policies as ( select arn, count(*) as num_bad_statements from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Resource') as resource, jsonb_array_elements_text(s -> 'Action') as action where not is_aws_managed and not is_attached and s ->> 'Effect' = 'Allow' and resource = '*' and ( (action = '*' or action = '*:*' ) ) group by arn)select p.arn as resource, case when bad.arn is null then 'ok' else 'alarm' end status, p.name || ' contains ' || coalesce(bad.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' as reason , p.account_idfrom aws_iam_policy as p left join bad_policies as bad on p.arn = bad.arnwhere not p.is_aws_managed and not is_attached;