Add an other check for unused IAM Roles in 60 days

turbot / steampipe-mod-aws-compliance

Run individual controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA and more across all of your AWS accounts using Powerpipe and Steampipe.

https://hub.steampipe.io/mods/turbot/aws_compliance

Apache License 2.0

372 stars 63 forks source link

Add an other check for unused IAM Roles in 60 days #662

Closed bob-bot closed 1 year ago

bob-bot commented 1 year ago

Adding a control in the "Other Checks" to verify if any IAM Roles have not been used in the last 60 days (or never been used) helps uncover any unused accounts and roles that may increase the attack surface area.

judell commented 1 year ago

@bob-bot, @misraved I tried this just now:

steampipe check aws_compliance.control.iam_role_unused_60

result: ERROR: control result is missing required column: [resource]

misraved commented 1 year ago

@judell I can confirm that I am seeing the same issue.

@madhushreeray30 could you please take a look at this and add your observations to this thread?

madhushreeray30 commented 1 year ago

@judell @misraved the query iam_role_unused_60 is missing the required common dimensions and resource, I have raised a PR for the fix.

misraved commented 1 year ago

@judell the issue has been fixed in https://github.com/turbot/steampipe-mod-aws-compliance/pull/672

Thanks for reporting it 👍.