Control: IAM roles should not have any assume role policies attached
Description
Role assume policies can provide access to roles in external AWS accounts.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_policy_custom_no_assume_roleSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_policy_custom_no_assume_role --shareSQL
This control uses a named query:
with filter_users as ( select user_id, name, policies from aws_iam_user, jsonb_array_elements_text(inline_policies) as policies where policies like '%AssumeRole%')select u.arn as resource, case when fu.user_id is not null then 'alarm' else 'ok' end as status, case when fu.user_id is not null then u.name || ' custom policies allow STS Role assumption.' else u.name || ' custom policies does not allow STS Role assumption.' end as reason , u.region, u.account_idfrom aws_iam_user as u left join filter_users as fu on u.user_id = fu.user_idorder byu.name;