class IamRolePassRoleWildcardResourceRule

Constants

IAM_ACTION_PATTERNS

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 22
def audit_impl(cfn_model)
  violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
    violating_policies = role.policy_objects.select do |policy|
      violating_statements = policy.policy_document.statements.select do |statement|
        passrole_action?(statement) && wildcard_resource?(statement)
      end
      !violating_statements.empty?
    end
    !violating_policies.empty?
  end
  violating_roles.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 18
def rule_id
  'F38'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 10
def rule_text
  'IAM role should not allow * resource with PassRole action on its permissions policy'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 14
def rule_type
  Violation::FAILING_VIOLATION
end

Private Instance Methods

passrole_action?(statement) click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 37
def passrole_action?(statement)
  statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action }
end
wildcard_resource?(statement) click to toggle source
# File lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb, line 41
def wildcard_resource?(statement)
  statement.resources.find { |resource| resource == '*' }
end