This project demonstrates how you can use Pulumi CrossGuard to evaluate AWS IAM policies before deployment and prevent policies from being created that do not pass IAM Access Analyzer Policy Validation.
See the policy pack code for the policy implementation. The policy uses the AWS SDK for JavaScript to run the ValidatePolicy operation via the AWS API. The policy code itself is only 14 lines of code!!!
This particular project uses TypeScript, but this same policy could be implemented in any of the other languages that Pulumi CrossGuard supports. As such, you will need Node.js installed.
When running with the policy pack enabled, pulumi will run the iam-access-analyzer-policy-validation policy for each aws.iam.Policy resource defined in the base Pulumi project. The policy will query the ValidatePolicy API call and print each ERROR, SECURITY_WARNING, or WARNING finding for each policy resource (excluding SUGGESTION).
- Download and Install Pulumi
- Open a terminal
git clonethis repo andcdto the directory. - Configure Pulumi to access your AWS account
- Install dependencies for the base Pulumi project with
npm i. - Change directories to the policy pack with
cd policy-as-code. - Install dependencies for the policy pack with
npm i. - Return to the base Pulumi project directory with
cd ... - Initialize a Pulumi stack with
pulumi stack init dev. - Set the AWS region to use (any region will do) with
pulumi config set aws:region us-east-1. - Run the Pulumi project with the policy pack enabled with
pulumi pre --policy-pack policy-as-code.
% pulumi pre --policy-pack policy-as-code
Previewing update (dev)
View Live: https://app.pulumi.com/clstokes/p-aws-aws-iamaccessanalyzer-validate-policy/dev/previews/b7b2d094-8324-49f8-a2e8-6ac1e5ba8292
Type Name Plan Info
+ pulumi:pulumi:Stack p-aws-aws-iamaccessanalyzer-validate-policy-dev create 1 error
+ ├─ aws:iam:Policy invalid-action-policy create
+ ├─ aws:iam:Policy overly-permissive-policy create
+ ├─ aws:iam:Policy invalid-date-policy create
+ └─ aws:iam:Policy empty-array-action-policy create
Diagnostics:
pulumi:pulumi:Stack (p-aws-aws-iamaccessanalyzer-validate-policy-dev):
error: preview failed
Policy Violations:
[mandatory] aws-iam-access-analyzer v0.0.1 iam-access-analyzer-policy-validation (aws:iam/policy:Policy: invalid-action-policy)
Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
Type: ERROR
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action
Details: The service DOES_NOT_EXIST:* specified in the action does not exist.
[mandatory] aws-iam-access-analyzer v0.0.1 iam-access-analyzer-policy-validation (aws:iam/policy:Policy: invalid-date-policy)
Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
Type: WARNING
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-invalid-date-value
Details: The date 2021 might not resolve as expected. We recommend that you use the YYYY-MM-DD format.
[mandatory] aws-iam-access-analyzer v0.0.1 iam-access-analyzer-policy-validation (aws:iam/policy:Policy: overly-permissive-policy)
Evaluate policies using AWS IAM Access Analyzer - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html.
Type: SECURITY_WARNING
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource
Details: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.