iam-policy-blacklisted-check
Checks in each Amazon Identity and Access Management (IAM) resource, if a policy Amazon Resource Name (ARN) in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource.
Identifier: IAM_POLICY_BLACKLISTED_CHECK
Resource Types: AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role
Trigger type: Configuration changes
Amazon Web Services Region: All supported Amazon regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region
Parameters:
- policyArns
- Type: CSV
- Default: arn:aws:iam::aws:policy/AdministratorAccess
-
Comma separated list of IAM policy arns which should not be attached to any IAM entity.
- exceptionList (Optional)
- Type: CSV
-
Comma separated list of resourcetypes and list of resource name pairs. For example, users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3].
Note
For the exception list, specify the name of the resource and not the full ARN. Not valid:
arn:aws:iam::444455556666:role/Admin
. Valid:Admin
.
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.