-
Notifications
You must be signed in to change notification settings - Fork 77
/
iam-policy-account-audit.yml
37 lines (36 loc) · 1.29 KB
/
iam-policy-account-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
policies:
- name: iam-policy-account-audit-policy
resource: iam-policy
description: |
Cloud Custodian IAM Policy account:* Audit
comment: |
Periodically check IAM policies and send
email/Slack notification if contains account:* action
Note: The iam.py module was manually modified to match on
the Action account:*. This policy will NOT work out of the box.
mode:
type: periodic
role: arn:aws:iam::929292782238:role/CloudCustodian
schedule: "rate(1 hour)"
packages: [boto3, botocore, urllib3]
filters:
- type: has-allow-all
actions:
- type: post-finding
severity_normalized: 10
types:
- "Software and Configuration Checks/AWS Security Best Practices"
- type: notify
template: iam-policy-account-audit.html
slack_template: slack-iam-policy-account-audit
template_format: 'html'
priority_header: '5'
subject: 'Security Audit: IAM policies found with account:* action'
to:
- slack://#ie-alerts
owner_absent_contact:
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/929292782238/cloud-cloudcustodian