Description of changes:
Adding a Config Rule that requires configuration with the IAM Actions that the customer perceives as being sensitive. This is set with the actions rule parameter, and should be a comma-separated list of IAM Actions. The rule evaluates IAM Roles in the account and highlights those that have those permissions as being NON_COMPLIANT.
Customers may add a permittedRoleNames list of allowed IAM Roles that can have those permissions, which will not be tagged as NON_COMPLIANT.
Customers may also use resourceArns to indicate specific AWS resources that should be protected from actions in the account.
I confirm these files are made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)
Issue #, if available:
Description of changes: Adding a Config Rule that requires configuration with the IAM Actions that the customer perceives as being sensitive. This is set with the
actionsrule parameter, and should be a comma-separated list of IAM Actions. The rule evaluates IAM Roles in the account and highlights those that have those permissions as being NON_COMPLIANT. Customers may add apermittedRoleNameslist of allowed IAM Roles that can have those permissions, which will not be tagged as NON_COMPLIANT. Customers may also useresourceArnsto indicate specific AWS resources that should be protected fromactionsin the account.