cis_v140_1_16 conflict with foundational_security_iam_1

[ecktom]

cis_v140_1_16 and foundational_security_iam_1 are both using https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/query/iam/iam_policy_no_star_star.sql.

While the AWS Foundational Security Best Practices controls indeed are focusing on customer managed policies only The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies. the CIS benchmark considers all attached polices

Audit for CIS 1.16 based on v1.4.0 - 05-28-2021

aws iam list-policies --only-attached --output text
aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>

In output ensure policy should not have any Statement block with "Effect": "Allow" and Action set to "*" and Resource set to "*"

So based on the CIS audit this rule should raise an alert if eg arn:aws:iam::aws:policy/AdministratorAccess is attached

[e-gineer]

Hey @ecktom ... Just wanted to say how much we appreciate these detailed notes and reports!

Please keep them (+ any PRs) coming and we'll be working through them :-)

[rajlearner17]

@ecktom we should be checking only IAM inline policies (also known as customer managed policies) for foundational_security_iam_1 and for CIS benchmark considers all attached policies, will separate the queries.

We are updating the aws_iam_policy table to address this and further query performance. Here

Further observation, CIS recommends checking the policy attachment, which is missed out in the query

We will now separate the query for

• foundational_security_iam_1 to check all customer managed policies which are attached
• cis_v140_1_16 to check all-inclusive policies which are attached.

Let us know

[ecktom]

Hi @rajlearner17, Thanks for jumping in. Separating those queries sound reasonable. You're also right, the "attached" part is currently missing in the query, good catch!