π§ AWS IAM Policy allows full administrative privileges - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml - Located in: π AWS IAM Policy allows full administrative privileges π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS IAM Policy | CA10__CaAwsIamPolicy__c | 6 | 1 | 3 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:44:55.763466395Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__attachable__c') != true || extract('CA10__attachmentCount__c') == number(0.0) | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | βοΈ null |
| π’ | test4 | βοΈ 299 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | βοΈ null |
| π’ | test5 | βοΈ 299 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | βοΈ null |
| π’ | test6 | βοΈ 299 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? ((type(Action) == \'array\' && contains(Action, \'*\')) || (type(Action) == \'string\' && Action == \'*\')) && ((type(Resource) == \'array\' && contains(Resource, \'*\')) || (type(Resource) == \'string\' && Resource == \'*\')) && (Effect == \'Allow\')])') > number(0.0) | βοΈ null |
| π’ | test7 | βοΈ 399 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') != 'object' | βοΈ null |
| π’ | test8 | βοΈ 499 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('Statement.Effect') != 'Allow' | βοΈ null |
| π’ | test9 | βοΈ 599 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | βοΈ null |
| π’ | test10 | βοΈ 599 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | βοΈ null |
| π’ | test11 | βοΈ 599 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | βοΈ null |
| π’ | test12 | βοΈ 599 | βοΈ extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Action) == \'string\' && Statement.Action == \'*\') || (type(Statement.Action) == \'array\' && contains(Statement.Action, \'*\'))') == true && extract('caJsonFrom_policyDocument__c').jsonQueryText('(type(Statement.Resource) == \'string\' && Statement.Resource == \'*\') || (type(Statement.Resource) == \'array\' && contains(Statement.Resource, \'*\'))') == true | βοΈ null |
| π’ | test13 | βοΈ 600 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/policy.yaml | A06E702392DC5C7E8396FA3FAE00CED4 |
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml | A3002C8345CC95D4555F450A049155BD |
| Open | /ce/ca/aws/iam/policy-allows-full-administrative-privileges/test-data.json | 8739BE8DFA54C62833FE0B8691FF29F1 |
| Open | /types/CA10__CaAwsIamPolicy__c/object.extracts.yaml | C48327B50CE4EB54B3C6B2B464134BB3 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/iam/policy-allows-full-administrative-privileges/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsIamPolicy__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10__CaAwsIamPolicy__c/object.extracts.yaml
conditions:
- status: "COMPLIANT"
currentStateMessage: "This IAM Policy is not attached."
check:
OR:
args:
- NOT_EQUAL:
left:
EXTRACT: CA10__attachable__c
right:
BOOLEAN: true
- IS_EQUAL:
left:
EXTRACT: CA10__attachmentCount__c
right:
NUMBER: 0.0
# For the Statement of array type
- status: "INCOMPLIANT"
currentStateMessage: "This IAM policy with admin privileges is attached."
remediationMessage: "Consider detaching the IAM policy with admin privileges "
check:
AND:
args:
# Verify that this is an array
- IS_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "type(Statement)"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "array"
# Check number of statements with the following conditions is not 0 (Action == '*' OR Action == ['*']) AND (Resource == '*' OR Resource == ['*']) AND (Effect == 'Allow')
# we can't break it into smaller separate statements since we need to make sure that all 3 elements (Action, Resource, Effect) present in the same statement
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "length(Statement[? ((type(Action) == 'array' && contains(Action, '*')) || (type(Action) == 'string' && Action == '*')) && ((type(Resource) == 'array' && contains(Resource, '*')) || (type(Resource) == 'string' && Resource == '*')) && (Effect == 'Allow')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
# at this step any other Statements of array type should be compliant
- status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."
check:
NOT_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "type(Statement)"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "object"
# For the Statement of object type Effect == Deny
- status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."
check:
NOT_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "Statement.Effect"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "Allow"
# For the Statement of object type (Action == '*' OR Action == ['*']) AND (Resource == '*' OR Resource == ['*'])
- status: "INCOMPLIANT"
currentStateMessage: "This IAM policy with admin privileges is attached."
remediationMessage: "Consider detaching the IAM policy with admin privileges "
check:
AND:
args:
- IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "(type(Statement.Action) == 'string' && Statement.Action == '*') || (type(Statement.Action) == 'array' && contains(Statement.Action, '*'))"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return boolean type."
right:
BOOLEAN: true
- IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "(type(Statement.Resource) == 'string' && Statement.Resource == '*') || (type(Statement.Resource) == 'array' && contains(Statement.Resource, '*'))"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return boolean type."
right:
BOOLEAN: true
otherwise:
status: "COMPLIANT"
currentStateMessage: "This IAM policy does not have admin privileges."