github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/require_support_role.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/framework" 5 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 6 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 11 "github.com/khulnasoft-lab/defsec/pkg/scan" 12 13 "github.com/khulnasoft-lab/defsec/internal/rules" 14 15 "github.com/khulnasoft-lab/defsec/pkg/providers" 16 ) 17 18 var CheckRequireSupportRole = rules.Register( 19 scan.Rule{ 20 AVDID: "AVD-AWS-0169", 21 Provider: providers.AWSProvider, 22 Frameworks: map[framework.Framework][]string{ 23 framework.CIS_AWS_1_4: {"1.17"}, 24 }, 25 Service: "iam", 26 ShortCode: "require-support-role", 27 Summary: "Missing IAM Role to allow authorized users to manage incidents with AWS Support.", 28 Impact: "Incident management is not possible without a support role.", 29 Resolution: "Create an IAM role with the necessary permissions to manage incidents with AWS Support.", 30 Explanation: ` 31 By implementing least privilege for access control, an IAM Role will require an appropriate 32 IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. 33 `, 34 Links: []string{ 35 "https://console.aws.amazon.com/iam/", 36 }, 37 Severity: severity.Low, 38 }, 39 func(s *state.State) (results scan.Results) { 40 41 for _, role := range s.AWS.IAM.Roles { 42 for _, policy := range role.Policies { 43 if policy.Builtin.IsTrue() && policy.Name.EqualTo("AWSSupportAccess") { 44 results.AddPassed(&role) 45 return 46 } 47 } 48 } 49 50 results.Add("Missing IAM support role.", defsecTypes.NewUnmanagedMetadata()) 51 return results 52 }, 53 )