๐ง AWS IAM Policy allows full administrative privileges - prod.logic.yaml๐ข
- Contextual name: ๐ง prod.logic.yaml๐ข
- ID:
/ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml - Tags:
- ๐ข Logic test success
- ๐ข Logic with extracts
- ๐ข Logic with test data
Usesโ
- ๐ AWS IAM Policy
- ๐ AWS IAM Policy - object.extracts.yaml
- ๐งช test-data.json
Test Results ๐ขโ
Generated at: 2026-02-10T22:32:59.237221960Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| ๐ข | test1 | โ๏ธ 99 | โ๏ธ isDisappeared(CA10__disappearanceTime__c) | โ๏ธ null |
| ๐ข | test2 | โ๏ธ 199 | โ๏ธ extract('CA10__attachable__c') != true || extract('CA10__attachmentCount__c') == number(0.0) | โ๏ธ null |
| ๐ข | test3 | โ๏ธ 299 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | โ๏ธ null |
| ๐ข | test4 | โ๏ธ 299 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | โ๏ธ null |
| ๐ข | test5 | โ๏ธ 299 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | โ๏ธ null |
| ๐ข | test6 | โ๏ธ 299 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | โ๏ธ null |
| ๐ข | test7 | โ๏ธ 399 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') != 'object' | โ๏ธ null |
| ๐ข | test8 | โ๏ธ 499 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('Statement.Effect') != 'Allow' | โ๏ธ null |
| ๐ข | test9 | โ๏ธ 599 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | โ๏ธ null |
| ๐ข | test10 | โ๏ธ 599 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | โ๏ธ null |
| ๐ข | test11 | โ๏ธ 599 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | โ๏ธ null |
| ๐ข | test12 | โ๏ธ 599 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | โ๏ธ null |
| ๐ข | test13 | โ๏ธ 600 | โ๏ธ otherwise | โ๏ธ null |
Generation Bundleโ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/policy.yaml | 6D9F6D5BB86C5732DBABD5496DE8E943 |
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml | 81CADF80A0B0B40204F81668C5D10E84 |
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/test-data.json | 8739BE8DFA54C62833FE0B8691FF29F1 |
| Open | /types/CA10__CaAwsIamPolicy__c/object.extracts.yaml | C48327B50CE4EB54B3C6B2B464134BB3 |
Available Commandsโ
repo-manager policies generate FULL /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Contentโ
---
inputType: "CA10__CaAwsIamPolicy__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10__CaAwsIamPolicy__c/object.extracts.yaml
conditions:
- status: "COMPLIANT"
currentStateMessage: "This IAM policy is not attached."
check:
OR:
args:
- NOT_EQUAL:
left:
EXTRACT: CA10__attachable__c
right:
BOOLEAN: true
- IS_EQUAL:
left:
EXTRACT: CA10__attachmentCount__c
right:
NUMBER: 0.0
# For the Statement of array type
- status: "INCOMPLIANT"
currentStateMessage: "An IAM policy with administrative privileges is attached."
remediationMessage: "Detach the IAM policy with administrative privileges."
check:
AND:
args:
# Verify that this is an array
- IS_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "type(Statement)"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "array"
# Check number of statements with the following conditions is not 0 (Action == '*' OR Action == ['*']) AND (Resource == '*' OR Resource == ['*']) AND (Effect == 'Allow')
# we can't break it into smaller separate statements since we need to make sure that all 3 elements (Action, Resource, Effect) present in the same statement
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "length(Statement[? ((type(Action) == 'array' && contains(Action, '*')) || (type(Action) == 'string' && Action == '*')) && ((type(Resource) == 'array' && contains(Resource, '*')) || (type(Resource) == 'string' && Resource == '*')) && (Effect == 'Allow')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
# at this step any other Statements of array type should be compliant
- status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."
check:
NOT_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "type(Statement)"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "object"
# For the Statement of object type Effect == Deny
- status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."
check:
NOT_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "Statement.Effect"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "Allow"
# For the Statement of object type (Action == '*' OR Action == ['*']) AND (Resource == '*' OR Resource == ['*'])
- status: "INCOMPLIANT"
currentStateMessage: "An IAM policy with administrative privileges is attached."
remediationMessage: "Detach the IAM policy with administrative privileges."
check:
AND:
args:
- IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "(type(Statement.Action) == 'string' && Statement.Action == '*') || (type(Statement.Action) == 'array' && contains(Statement.Action, '*'))"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return boolean type."
right:
BOOLEAN: true
- IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "(type(Statement.Resource) == 'string' && Statement.Resource == '*') || (type(Statement.Resource) == 'array' && contains(Statement.Resource, '*'))"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return boolean type."
right:
BOOLEAN: true
otherwise:
status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."