add example rules for IAM roles

stelligent · Mar 19, 2018 · 44bcbfd · 44bcbfd
1 parent cd202d1
commit 44bcbfd
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 6 deletions.
diff --git a/example-files/config/README.md b/example-files/config/README.md
@@ -12,6 +12,9 @@ Done:
 * IamPolicyWildcardActionRule
 * IamPolicyWildcardResourceRule
 
+* IamRoleNotActionOnPermissionsPolicyRule
+* IamRoleNotResourceOnPermissionsPolicyRule
+
 * S3BucketPolicyNotActionRule
 * S3BucketPolicyNotPrincipalRule
 * S3BucketPolicyWildcardActionRule
@@ -34,10 +37,8 @@ TODO
 * IamManagedPolicyWildcardActionRule
 * IamManagedPolicyWildcardResourceRule
 
-* IamRoleNotActionOnPermissionsPolicyRule
 * IamRoleNotActionOnTrustPolicyRule
 * IamRoleNotPrincipalOnTrustPolicyRule
-* IamRoleNotResourceOnPermissionsPolicyRule
 * IamRoleWildcardActionOnPermissionsPolicyRule
 * IamRoleWildcardActionOnTrustPolicyRule
 * IamRoleWildcardResourceOnPermissionsPolicyRule

diff --git a/example-files/config/iam.tf b/example-files/config/iam.tf
@@ -17,6 +17,27 @@ resource "aws_iam_role" "iam_role_1" {
 EOF
 }
 
+resource "aws_iam_role" "iam_role_with_not" {
+    name = "iam_role_1"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "NotAction": "sts:AssumeRole",
+      "NotResource": [
+        "resource1",
+        "resource2"
+      ],
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+
 resource "aws_iam_role" "role_with_invalid_policy" {
     name = "role1"
     assume_role_policy = [ "invalid" ]

diff --git a/example-files/rules/terraform.yml b/example-files/rules/terraform.yml
@@ -175,23 +175,27 @@ Rules:
         key: logging_config
         op: present
   - id: POLICY_NOT_ACTION
-    message: Should not allow not action in IAM policy
+    message: Should not use NotAction in IAM policy
     resource: aws_iam_policy
     severity: WARNING
     assertions:
       - type: value
         key: policy.Statement[].NotAction
         op: absent
+    tags:
+      - iam
   - id: POLICY_NOT_RESOURCE
-    message: Should not allow not resource in IAM policy
+    message: Should not use NotResource in IAM policy
     resource: aws_iam_policy
     severity: WARNING
     assertions:
       - type: value
         key: policy.Statement[].NotResource
         op: absent
+    tags:
+      - iam
   - id: POLICY_WILDCARD_ACTION
-    message: Should not allow not wildcard action in IAM policy
+    message: Should not use wildcard action in IAM policy
     resource: aws_iam_policy
     severity: FAILURE
     assertions:
@@ -200,8 +204,10 @@ Rules:
           key: policy.Statement[].Action
           op: contains
           value: "*"
+    tags:
+      - iam
   - id: POLICY_WILDCARD_RESOURCE
-    message: Should not allow not wildcard resource in IAM policy
+    message: Should not use wildcard resource in IAM policy
     resource: aws_iam_policy
     severity: WARNING
     assertions:
@@ -210,6 +216,28 @@ Rules:
           key: policy.Statement[].Resource
           op: contains
           value: "*"
+    tags:
+      - iam
+  - id: ROLE_NOT_ACTION
+    message: Should not use NotAction in IAM role
+    resource: aws_iam_role
+    severity: WARNING
+    assertions:
+      - type: value
+        key: assume_role_policy.Statement[].NotAction
+        op: absent
+    tags:
+      - iam
+  - id: ROLE_NOT_RESOURCE
+    message: Should not use NotResource in IAM role
+    resource: aws_iam_role
+    severity: WARNING
+    assertions:
+      - type: value
+        key: assume_role_policy.Statement[].NotResource
+        op: absent
+    tags:
+      - iam
   - id: ELB_ACCESS_LOGGING
     message: ELB should enable access logging
     resource: aws_elb