Updated on 2025-08-25 GMT+08:00

IAM Agencies Contain Specified Policies

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

iam-agencies-managed-policy-check

Identifier

iam-agencies-managed-policy-check

Description

If an IAM agency does not contain the specified policies and roles, this agency is non-compliant.

Tag

iam

Trigger Type

Configuration change

Filter Type

iam.agencies

Rule Parameters

  • roleIdList: role IDs. System-defined roles are not supported.
  • policyIdList: policy IDs. System-defined policies are not supported.

Application Scenarios

When you assign permissions to control resource access, the least privilege principles should be applied. This rule allows you to detect agencies that do not contain the required policies or rules, so that you can avoid granting excessive permissions with these agencies.

Solution

You can attach the required roles or policies to the non-compliant agencies. For more details, see Assigning Agency Permissions to an IAM User.

Rule Logic

  • If an IAM agency does not contain all the specified policies and roles, this agency is non-compliant.
  • If an IAM agency contains all the specified policies and roles, this agency is compliant.