Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iam AdministratorAccess managed policy rule #293

Merged
5 commits merged into from
Oct 15, 2019
Merged

Iam AdministratorAccess managed policy rule #293

5 commits merged into from
Oct 15, 2019

Conversation

mcahill7
Copy link
Contributor

PR for Look for AdministratorAccess managed policy in IAM Role #75
#75

@mcahill7 mcahill7 assigned ghost Oct 15, 2019
ghost
ghost reviewed Oct 15, 2019
View reviewed changes
lib/cfn-nag/custom_rules/IamRoleAdministratorAccessPolicyRule.rb Outdated
end

def rule_id
'W25'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

W25 used to be something i forgot... probably something with security groups that got collapsed. can you bump this to something higher? W38 maybe?

ghost
ghost reviewed Oct 15, 2019
View reviewed changes
lib/cfn-nag/custom_rules/IamRoleAdministratorAccessPolicyRule.rb Outdated

def audit_impl(cfn_model)
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
violating_policies = role.managedPolicyArns.select do |policy|
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is fine, but you could just do a "find" instead - quit after the first one since it only takes one to violate

ghost
ghost reviewed Oct 15, 2019
View reviewed changes
spec/test_templates/json/iam_role/iam_role_with_administratoraccess_policy.json
"Action": ["sts:AssumeRole"]
} ]
},
"ManagedPolicyArns" : [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is likely good enough given how much other testing there is against IAM roles, but generally i would suggest also including a "positive" test whereby your prove the rule/violation won't be triggered.

ghost
ghost suggested changes Oct 15, 2019
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nits

@mcahill7 mcahill7 requested a review from a user October 15, 2019 17:40
@ghost ghost merged commit 02e487c into master Oct 15, 2019
@mcahill7 mcahill7 deleted the iam_administrator_access_role branch October 15, 2019 18:01
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mcahill7