class IamRoleElevatedManagedPolicyRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb, line 26
def audit_impl(cfn_model)
  violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
    includes_elevated_policy(role)
  end
  violating_roles.map(&:logical_resource_id)
end
includes_elevated_policy(role) click to toggle source
# File lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb, line 19
def includes_elevated_policy(role)
  role.managedPolicyArns.find do |policy|
    policy.include?('arn:aws:iam::aws:policy/PowerUserAccess') ||
      policy.include?('arn:aws:iam::aws:policy/IAMFullAccess')
  end
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb, line 15
def rule_id
  'W44'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb, line 7
def rule_text
  'IAM role should not have Elevated Managed policy'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb, line 11
def rule_type
  Violation::WARNING
end