I am new to Cloud Custodian and AWS and I am trying to extract all AWS IAM Policies that have a blanket allow for KMS decryption. The filter syntax and formatting just don't make sense to me. Any advice on how to construct the filters to find all these policies?
Asked
Active
Viewed 25 times
1 Answers
0
Here's a Cloud Custodian policy written in YAML that finds all AWS IAM policies with a blanket allow for KMS decryption:
policies:
- name: extract-iam-policies-with-kms-decryption
resource: iam-policy
filters:
- type: value
key: PolicyDocument.Statement
value_type: policy
op: in
value:
- Effect: Allow
Action: kms:Decrypt
Resource: "*"
This policy uses the iam-policy resource type to target AWS IAM policies. It then applies a filter to check if the PolicyDocument.Statement contains a statement with an effect of "Allow", action "kms:Decrypt", and a resource value of "*". This matches the condition for a blanket allow for KMS decryption.
mandypea
- 13
- 6