-
Notifications
You must be signed in to change notification settings - Fork 851
/
iam_policy_exists.py
57 lines (50 loc) · 1.73 KB
/
iam_policy_exists.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#
# This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)
#
# Ensure one or several specific IAM policies exist
# Description: Checks that defined IAM policies have been defined in AWS IAM.
#
# Trigger Type: Periodic
# Scope of Changes: N/A
# Required Parameter name: PoliciesToCheck
# Required Parameter value example: policy-name1,policy-name2 (split multiple rule name with a ",")
import boto3
import json
def evaluate_compliance(rule_parameters, account_id):
fails = 0
client = boto3.client("iam")
if 'PoliciesToCheck' in rule_parameters:
for policy in rule_parameters["PoliciesToCheck"].split(","):
policyARN = "arn:aws:iam::%s:policy/%s" %(account_id, policy)
print(policyARN)
try:
response = client.get_policy(PolicyArn=policyARN)
except:
fails = fails + 1
else:
print("No IAM policy defined in parameter")
fails = fails + 1
if fails == 0:
return "COMPLIANT"
else:
return "NON_COMPLIANT"
def lambda_handler(event, context):
account_id = event['accountId']
invoking_event = json.loads(event["invokingEvent"])
print(invoking_event)
rule_parameters = json.loads(event["ruleParameters"])
result_token = "No token found."
if "resultToken" in event:
result_token = event["resultToken"]
config = boto3.client("config")
config.put_evaluations(
Evaluations=[
{
'ComplianceResourceType': 'AWS::::Account',
'ComplianceResourceId': account_id,
'ComplianceType': evaluate_compliance(rule_parameters, account_id),
'OrderingTimestamp': invoking_event['notificationCreationTime']
},
],
ResultToken=event['resultToken']
)