class IamRolePassRoleWildcardResourceRule
Constants
- IAM_ACTION_PATTERNS
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 22 def audit_impl(cfn_model) violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role| violating_policies = role.policy_objects.select do |policy| violating_statements = policy.policy_document.statements.select do |statement| passrole_action?(statement) && wildcard_resource?(statement) end !violating_statements.empty? end !violating_policies.empty? end violating_roles.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 18 def rule_id 'F38' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 10 def rule_text 'IAM role should not allow * resource with PassRole action on its permissions policy' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 14 def rule_type Violation::FAILING_VIOLATION end
Private Instance Methods
passrole_action?(statement)
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 37 def passrole_action?(statement) statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action } end
wildcard_resource?(statement)
click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 41 def wildcard_resource?(statement) statement.resources.find { |resource| resource == '*' } end