Created
May 13, 2020 20:41
-
-
Save jtroberts83/50899daf5a408b6786741fd4904682cc to your computer and use it in GitHub Desktop.
Cloud Custodian policy which will identify IAM Role trust relationships which contain ec2, ecs, or lambda
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| policies: | |
| - name: test-iam-role | |
| resource: iam-role | |
| filters: | |
| - or: | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[6].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[7].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[8].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[9].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[10].Principal.Service | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[0].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[1].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[2].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[3].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[4].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[0] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[1] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[2] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[3] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[4] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
| - type: value | |
| key: AssumeRolePolicyDocument.Statement[5].Principal.Service[5] | |
| op: regex | |
| value: '^(((.*ec2.amazonaws.com.*)|(.*lambda.amazonaws.com.*)|(.*ecs.amazonaws.com.*)))$' | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment