Unintended Policy Check
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
iam-policy-blacklisted-check |
|
Identifier |
iam-policy-blacklisted-check |
|
Description |
If a blacklisted policy is attached to an IAM user, a user group, or an agency, this user, user group, or agency is noncompliant. |
|
Tag |
iam |
|
Trigger Type |
Configuration change |
|
Filter Type |
iam.users, iam.groups, iam.agencies |
|
Configure Rule Parameters |
blackListPolicyUrns: URNs of IAM policies. Built-in policies are not supported. |
Applicable Scenario
This rule allows you to ensure that only intended permissions are assigned to an IAM user, a user group, or an IAM agency. For more details, see Grant Least Privilege.
Solution
You can revoke unintended permissions from noncompliant IAM users, user groups, and agencies.
Rule Logic
- If an IAM user, a user group, or an agency has an unintended policy attached, this user, user group, or agency is noncompliant.
- If an IAM user, a user group, or an agency does not have an unintended policy attached, this user, user group, or agency is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
