Control: Ensure IAM role not attached with Administratoraccess policy
Description
AWS IAM role should not be attached Administratoraccess policy.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_role_no_administrator_access_policy_attachedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_role_no_administrator_access_policy_attached --shareSQL
This control uses a named query:
with admin_roles as ( select arn, name, attachments from aws_iam_role, jsonb_array_elements_text(attached_policy_arns) as attachments where split_part(attachments, '/', 2) = 'AdministratorAccess')select r.arn as resource, case when ar.arn is not null then 'alarm' else 'ok' end as status, case when ar.arn is not null then r.name || ' have AdministratorAccess policy attached.' else r.name || ' does not have AdministratorAccess policy attached.' end as reason , r.region, r.account_idfrom aws_iam_role as r left join admin_roles ar on r.arn = ar.arnorder by r.name;