Link Search Menu Expand Document

AWS

Examples about IAM AssumeRole

Reject if a policy can assume ANY role in ANY account

Scenario: Reject if a policy can assume ANY role in ANY account
    Given I have aws_iam_policy defined
    When it contains policy
    And it contains Statement
    And its Effect is Allow
    And its Action is sts:AssumeRole
    And it contains resource
    Then its value must not match the "\*" regex

Reject if the role can be assumed by ANY role in ANY account

Scenario: Reject if the role can be assumed by ANY role in ANY account
    Given I have aws_iam_role defined
    When it contains assume_role_policy
    And it contains Statement
    And its Effect is Allow
    And its Action is sts:AssumeRole
    And it contains Principal
    And it contains AWS
    Then its value must not match the "\*" regex

Reject if the role can be assumed by ANY account other than specific AWS accounts

   Scenario: Reject if the role can be assumed by ANY account other than specific AWS accounts
        Given I have aws_iam_role defined
        When it contains assume_role_policy
        And it contains Statement
        And its Effect is Allow
        And its Action is sts:AssumeRole
        And it contains Principal
        And it contains AWS
        Then its value must match the ".*1234567890*|.*1234567891*" regex

terraform-compliance made with . Distributed by an MIT license.