Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
aws-actions

GitHub Action

Policy checks to validate AWS IAM policies in CloudFormation templates" Action For GitHub Actions

v1.0.0

Policy checks to validate AWS IAM policies in CloudFormation templates" Action For GitHub Actions

aws-actions

Policy checks to validate AWS IAM policies in CloudFormation templates" Action For GitHub Actions

Validate IAM Policies in CFN templates using ValidatePolicy, CheckAccessNotGranted & CheckNoNewAccess API in Access Analyzer

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Policy checks to validate AWS IAM policies in CloudFormation templates" Action For GitHub Actions

uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.0

Learn more about this action in aws-actions/cloudformation-aws-iam-policy-validator

Choose a version

Policy Validator for AWS IAM Policies in CloudFormation Templates

A GitHub Action that takes an AWS CloudFormation template, parses the IAM policies attached to IAM roles, users, groups, and resources then runs them through IAM Access Analyzer policy validation and (optionally) custom policy checks. Note that a charge is associated with each custom policy check. For more details about pricing, see IAM Access Analyzer pricing.

Inputs

See action.yml for the full documentation for this action's inputs and outputs.

Inputs Description Options Required Applies To which policy-check-type
VALIDATE_POLICY CHECK_NO_NEW_ACCESS CHECK_ACCESS_NOT_GRANTED
policy-check-type Name of the policy check.
Note: Each value corresponds to an IAM Access Analyzer API.
- ValidatePolicy
- CheckNoNewAccess
- CheckAccessNotGranted
VALIDATE_POLICY, CHECK_NO_NEW_ACCESS, CHECK_ACCESS_NOT_GRANTED. Yes
template-path The path to the CloudFormation template. FILE_PATH.json Yes
region The destination region the resources will be deployed to. REGION Yes
parameters Keys and values for CloudFormation template parameters. Only parameters that are referenced by IAM policies in the template are required. KEY=VALUE [KEY=VALUE ...] No
template-configuration-file A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file. Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html. FILE_PATH.json No
ignore-finding Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE"). Names of finding codes may change in IAM Access Analyzer over time. FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE No
treat-findings-as-non-blocking By default, the tool will exit with a non-zero exit code when it detects any findings. Set this flag to exit with an exit code of 0 when it detects findings. You can use this to run new checks in a shadow or log only mode before enforcing them.

This attribute is considered only when policy-check-type is "CHECK_NO_NEW_ACCESS" or "CHECK_ACCESS_NOT_GRANTED".
No
actions List of comma-separated actions. Example format - ACTION,ACTION,ACTION.

This attribute is only considered and required when policy-check-type is "CHECK_ACCESS_NOT_GRANTED".
ACTION,ACTION,ACTION No
reference-policy A JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison.

This attribute is only considered and required when policy-check-type is "CHECK_NO_NEW_ACCESS".
No
reference-policy-type The policy type associated with the IAM policy under analysis and the reference policy. Valid values: IDENTITY, RESOURCE.

This attribute is only considered and required when policy-check-type is "CHECK_NO_NEW_ACCESS"
No
treat-finding-type-as-blocking Specify which finding types should be treated as blocking. Other finding types are treated as non blocking. If the tool detects any blocking finding types, it will exit with a non-zero exit code. If all findings are non blocking or there are no findings, the tool exits with an exit code of 0. Defaults to "ERROR" and "SECURITY_WARNING". Specify as a comma separated list of finding types that should be blocking. Pass "NONE" to ignore all findings.

This attribute is only considered when policy-check-type is "VALIDATE_POLICY".
ERROR,SECURITY_WARNING,WARNING,SUGGESTION,NONE No
allow-external-principals A comma separated list of external principals that should be ignored. Specify as a comma separated list of a 12 digit AWS account ID, a federated web identity user, a federated SAML user, or an ARN. Specify "*" to allow anonymous access. (e.g. 123456789123,arn:aws:iam::111111111111:role/MyOtherRole,graph.facebook.com). ACCOUNT,ARN No
allow-dynamic-ref-without-version Override the default behavior and allow dynamic SSM references without version numbers. The version number ensures that the SSM parameter value that was validated is the one that is deployed. No
exclude-resource-types List of comma-separated resource types. Resource types should be the same as Cloudformation template resource names such as AWS::IAM::Role, AWS::S3::Bucket. Valid option syntax: AWS::SERVICE::RESOURCE. AWS::SERVICE::RESOURCE, AWS::SERVICE::RESOURCE No

Example Usage

Before each of the following examples, make sure to include the following:

  • Setting up the role: Role used in the GitHub workflow should have necessary permissions required
    • to be called from the GitHub workflows - setup OpenID Connect(OIDC) provider and IAM role & Trust policy as described in step 1 & 2 in this blog
    • to call the AWS APIs for the policy checks - ValidatePolicy, CheckNoNewAccess, CheckAccessNotGranted. Refer this page for more details
    - name: Checkout Repo
        uses: actions/checkout@v4
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.POLICY_VALIDATOR_ROLE }} # Role with permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted
          aws-region: aws-example-region

Using VALIDATE_POLICY CHECK

      - name: Run VALIDATE_POLICY Check 
        id: run-validate-policy
        uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.0
        with:
          policy-check-type: 'VALIDATE_POLICY'
          template-path: file-path-to-the-cfn-templates
          region: aws-example-region

Using for the CHECK_NO_NEW_ACCESS CHECK

      - name: Run CHECK_NO_NEW_ACCESS check 
        id: run-check-no-new-access
        uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.0
        with:
          policy-check-type: 'CHECK_NO_NEW_ACCESS'
          template-path: file-path-to-the-cfn-templates
          reference-policy: file-path-to-the-reference-policy
          reference-policy-type: policy-type-of-reference-policy
          region: aws-example-region

Using for the CHECK_ACCESS_NOT_GRANTED CHECK

      - name: Run CHECK_ACCESS_NOT_GRANTED check 
        id: run-check-no-new-access
        uses: aws-actions/cloudformation-aws-iam-policy-validator@v1.0.0
        with:
          policy-check-type: 'CHECK_ACCESS_NOT_GRANTED'
          template-path: file-path-to-the-cfn-templates
          actions: "action1, action2.."
          region: aws-example-region

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.