AWS Config Rules: IAM Policy Blacklisted Check
IAM_POLICY_BLACKLISTED_CHECK
Eduardo Van Cauteren
Last Update 2 dagen geleden
Description: Checks in each AWS Identity and Access Management (IAM) resource, if a policy Amazon Resource Name (ARN) in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource.
Trigger type: Configuration changes
AWS Region: All supported AWS regions
How to Resolve Manually
This Config Rule will check in each AWS IAM resource to determine if a certain policy is attached to the given resource, being user, groups or roles. If one of the blacklisted policies is found attached to a resource, the rule will be marked as non-compliant.
For this rule to work, you need to define the forbidden policies in the StackZone Console first. To do so, head on Baseline Services > Config Rules Global > IAM, enable the IAM Policy Blacklisted Check Config Rule and then define the Policy ARNs you want this rule to evaluate. Use the following screenshot as a visual reference:
Once the rule has been deployed to AWS, to resolve the non-compliant resource you will need to remove the blacklisted policy from the User, Group or Role. Since this might break functionality or access, you need to carefully evaluate the changes in advance.
If removing the policy isn't feasible due to the resource losing access, consider creating a new policy with only the necessary permissions and attaching it, so you can remove the former policy after.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
