-
Notifications
You must be signed in to change notification settings - Fork 77
/
Copy pathiam-user-audit.yml
36 lines (36 loc) · 1.14 KB
/
iam-user-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
policies:
- name: iam-user-audit
resource: iam-user
description: |
Cloud Custodian IAM User Audit
comments: |
Send notification when IAM user is found with AmazonEC2FullAccess
and not part of the Ec2InstanceLaunchers group.
mode:
type: periodic
role: arn:aws:iam::<account_id>:role/CloudCustodian
schedule: "rate(1 day)"
filters:
- not:
- type: group
key: GroupName
value: Ec2InstanceLaunchers
- type: policy
key: PolicyName
value: AmazonEC2FullAccess
op: regex
actions:
- type: notify
template: iam-user-audit
template_format: 'html'
slack_template: slack-iam-user-audit
priority_header: '5'
subject: 'IAM User Audit: IAM User(s) found not in Ec2InstanceLaunchers but with AmazonEC2FullAccess'
to:
- slack://#<slack-channel>
owner_absent_contact:
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/<account_id>/cloud-cloudcustodian