Skip to content

Latest commit

 

History

History
74 lines (52 loc) · 5.04 KB

File metadata and controls

74 lines (52 loc) · 5.04 KB

AWS IAM Access Analyzer Policy Validation with Pulumi Policy as Code ("CrossGuard")

This project demonstrates how you can use Pulumi CrossGuard to evaluate AWS IAM policies before deployment and prevent policies from being created that do not pass IAM Access Analyzer Policy Validation.

Policy Code

See the policy pack code for the policy implementation. The policy uses the AWS SDK for JavaScript to run the ValidatePolicy operation via the AWS API. The policy code itself is only 14 lines of code!!!

Prerequisites

This particular project uses TypeScript, but this same policy could be implemented in any of the other languages that Pulumi CrossGuard supports. As such, you will need Node.js installed.

Usage

When running with the policy pack enabled, pulumi will run the iam-access-analyzer-policy-validation policy for each aws.iam.Policy resource defined in the base Pulumi project. The policy will query the ValidatePolicy API call and print each ERROR, SECURITY_WARNING, or WARNING finding for each policy resource (excluding SUGGESTION).

  1. Download and Install Pulumi
  2. Open a terminal git clone this repo and cd to the directory.
  3. Configure Pulumi to access your AWS account
  4. Install dependencies for the base Pulumi project with npm i.
  5. Change directories to the policy pack with cd policy-as-code.
  6. Install dependencies for the policy pack with npm i.
  7. Return to the base Pulumi project directory with cd ...
  8. Initialize a Pulumi stack with pulumi stack init dev.
  9. Set the AWS region to use (any region will do) with pulumi config set aws:region us-east-1.
  10. Run the Pulumi project with the policy pack enabled with pulumi pre --policy-pack policy-as-code.

Example Output

% pulumi pre --policy-pack policy-as-code
Previewing update (dev)

View Live: https://app.pulumi.com/clstokes/p-aws-aws-iamaccessanalyzer-validate-policy/dev/previews/b7b2d094-8324-49f8-a2e8-6ac1e5ba8292

     Type                 Name                                             Plan       Info
 +   pulumi:pulumi:Stack  p-aws-aws-iamaccessanalyzer-validate-policy-dev  create     1 error
 +   ├─ aws:iam:Policy    invalid-action-policy                            create     
 +   ├─ aws:iam:Policy    overly-permissive-policy                         create     
 +   ├─ aws:iam:Policy    invalid-date-policy                              create     
 +   └─ aws:iam:Policy    empty-array-action-policy                        create     
 
Diagnostics:
  pulumi:pulumi:Stack (p-aws-aws-iamaccessanalyzer-validate-policy-dev):
    error: preview failed
 
Policy Violations:
    [mandatory]  aws-iam-access-analyzer v0.0.1  iam-access-analyzer-policy-validation (aws:iam/policy:Policy: invalid-action-policy)
    Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
    Type:    ERROR 
    Link:    https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action
    Details: The service DOES_NOT_EXIST:* specified in the action does not exist.
    
    
    [mandatory]  aws-iam-access-analyzer v0.0.1  iam-access-analyzer-policy-validation (aws:iam/policy:Policy: invalid-date-policy)
    Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
    Type:    WARNING 
    Link:    https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-invalid-date-value
    Details: The date 2021 might not resolve as expected. We recommend that you use the YYYY-MM-DD format.
    
    
    [mandatory]  aws-iam-access-analyzer v0.0.1  iam-access-analyzer-policy-validation (aws:iam/policy:Policy: overly-permissive-policy)
    Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
    Type:    SECURITY_WARNING 
    Link:    https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource
    Details: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.

Additional Resources