Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: Ensure IAM role not attached with Administratoraccess policy

Description

AWS IAM role should not be attached Administratoraccess policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_role_no_administrator_access_policy_attached

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_role_no_administrator_access_policy_attached --share

SQL

This control uses a named query:

with admin_roles as (
  select
    arn,
    name,
    attachments
  from
    aws_iam_role,
    jsonb_array_elements_text(attached_policy_arns) as attachments
  where
    split_part(attachments, '/', 2) = 'AdministratorAccess'
)
select
  r.arn as resource,
  case
    when ar.arn is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when ar.arn is not null then r.name || ' have AdministratorAccess policy attached.'
    else r.name || ' does not have AdministratorAccess policy attached.'
  end as reason
  
  , r.account_id
from
  aws_iam_role as r
  left join admin_roles ar on r.arn = ar.arn
order by
  r.name;

Tags

category = Compliance
plugin = aws
service = AWS/IAM