🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: IAM policy should be in use

Description

This control checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_policy_unused

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_policy_unused --share

SQL

This control uses a named query:

with in_use_policies as (
  select
    attached_policy_arns
  from
    aws_iam_user
  union
  select
    attached_policy_arns
  from
    aws_iam_group
  where
    jsonb_array_length(users) > 0
  union
  select
    attached_policy_arns
  from
    aws_iam_role
)
select
  arn as resource,
  case
    when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then 'ok'
    else 'alarm'
  end as status,
  case
    when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then title || ' in use.'
    else title || ' not in use.'
  end as reason
  
  , account_id
from
  aws_iam_policy;

Tags

acsc_essential_eight = true
category = Compliance
cis_controls_v8_ig1 = true
nist_800_171_rev_2 = true
nist_csf = true
plugin = aws
service = AWS/IAM
soc_2 = true