iam-policy-blacklisted-check - AWS Config


Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource. AWS Config marks the resource as COMPLIANT if the IAM resource is part of the exceptionList parameter irrespective of the presence of the policy ARN.


Trigger type: Configuration changes

AWS Region: All supported AWS regions



Comma-separated list of policy ARNs.


Comma-separated list IAM users, groups, or roles that are exempt from this rule. For example, users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3].

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.