π§ AWS IAM Policy (Customer Managed) Contains Potential Credentials Exposure - wip.logic.yaml π΄π
- Contextual name: π§ wip.logic.yaml π΄π
- ID:
/ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml - Located in: π AWS IAM Policy (Customer Managed) Contains Potential Credentials Exposure π΄π
Flagsβ
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS IAM Policy | CA10__CaAwsIamPolicy__c | 6 | 1 | 3 |
Usesβ
None
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/policy.yaml | 76EFE66D68FB69EA1DC79B065B61AF96 |
| Open | /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml | A753E8298C4E52789236221596765E1D |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure/wip.logic.yaml
Execute testsβ
No testData defined in the logic
Contentβ
---
inputType: CA10__CaAwsIamPolicy__c
conditions:
- status: INAPPLICABLE
currentStateMessage: "This policy does not apply to other types of policies except \"Customer Managed\""
check:
NOT_EQUAL:
left:
FIELD:
path: CA10__policyType__c
right:
TEXT: Customer managed
- status: UNDETERMINED
currentStateMessage: "Policy JSON is empty, possible permission issue with iam:GetPolicyVersion"
check:
IS_EMPTY:
arg:
FIELD:
path: CA10__policyDocument__c
- status: UNDETERMINED
currentStateMessage: "Policy JSON Extended is empty, processing might not be completed yet"
check:
IS_EMPTY:
arg:
FIELD:
path: CA10__policyDocumentExt__c
- status: INCOMPLIANT
currentStateMessage: test
remediationMessage: test
check:
AWS_POLICY_ALLOWS:
policyExtField: CA10__policyDocumentExt__c
widestAcceptableAccessLevel: EXTERNAL_PRINCIPAL
actions:
- chime:CreateApiKey
- codepipeline:PollForJobs
- cognito-identity:GetOpenIdToken
- cognito-identity:GetOpenIdTokenForDeveloperIdentity
- cognito-identity:GetCredentialsForIdentity
- connect:GetFederationToken
- ecr:GetAuthorizationToken
- gamelift:RequestUploadCredentials
- iam:CreateAccessKey
- iam:CreateLoginProfile
- iam:CreateServiceSpecificCredential
- iam:ResetServiceSpecificCredential
- iam:UpdateAccessKey
- lightsail:GetInstanceAccessDetails
- lightsail:GetRelationalDatabaseMasterUserPassword
- rds-db:connect
- redshift:GetClusterCredentials
- sso:GetRoleCredentials
- mediapackage:RotateChannelCredentials
- mediapackage:RotateIngestEndpointCredentials
- sts:AssumeRole
- sts:AssumeRoleWithSAML
- sts:AssumeRoleWithWebIdentity
- sts:GetFederationToken
- sts:GetSessionToken
otherwise:
status: COMPLIANT
currentStateMessage: "No credential exposure to external principals detected"