iam-policy-blacklisted-check - AWS Config

iam-policy-blacklisted-check

Checks in each AWS Identity and Access Management (IAM) resource, if a policy Amazon Resource Name (ARN) in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource.

Identifier: IAM_POLICY_BLACKLISTED_CHECK

Resource Types: AWS::IAM::User, AWS::IAM::Group, AWS::IAM::Role

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

Parameters:

policyArns
Type: CSV
Default: arn:aws:iam::aws:policy/AdministratorAccess

Comma separated list of IAM policy arns which should not be attached to any IAM entity.

exceptionList (Optional)
Type: CSV

Comma separated list of resourcetypes and list of resource name pairs. (for example, users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3]).

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.