Try SpotterPerforms validation of IAM policies
| "added in version" 5.0.0 of community.aws"
Authors: Mark Chappell (@tremble)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0Requests the validation of a policy and returns a list of findings.
# Validate a policy
- name: Validate a simple IAM policy
community.aws.accessanalyzer_validate_policy_info:
policy: "{{ lookup('template', 'managed_policy.json.j2') }}"
locale:
default: EN
description:
- The locale to use for localizing the findings.
- Supported locales include C(DE), C(EN), C(ES), C(FR), C(IT), C(JA), C(KO), C(PT_BR),
C(ZH_CN) and C(ZH_TW).
- For more information about supported locales see the AWS Documentation C(https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)
required: false
type: str
policy:
aliases:
- policy_document
description:
- A properly json formatted policy.
required: true
type: json
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
policy_type:
choices:
- identity
- resource
- service_control
default: identity
description:
- The type of policy to validate.
- C(identity) policies grant permissions to IAM principals, including both managed
and inline policies for IAM roles, users, and groups.
- C(resource) policies policies grant permissions on AWS resources, including trust
policies for IAM roles and bucket policies for S3 buckets.
required: false
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
resource_type:
description:
- The type of resource to attach to your resource policy.
- Ignored unless I(policy_type=resource).
- Supported resource types include C(AWS::S3::Bucket), C(AWS::S3::AccessPoint), C(AWS::S3::MultiRegionAccessPoint)
and C(AWS::S3ObjectLambda::AccessPoint)
- For resource types not supported as valid values, IAM Access Analyzer runs policy
checks that apply to all resource policies.
- For more information about supported locales see the AWS Documentation C(https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)
required: false
type: str
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
results_filter:
choices:
- error
- security
- suggestion
- warning
description:
- Filter the findings and limit them to specific finding types.
elements: str
required: false
type: list
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
findings:
contains:
finding_details:
description:
- A localized message describing the finding.
returned: success
sample: Resource ARN does not match the expected ARN format. Update the resource
portion of the ARN.
type: str
finding_type:
description:
- The severity of the finding.
returned: success
sample: ERROR
type: str
issue_code:
description:
- An identifier for the type of issue found.
returned: success
sample: INVALID_ARN_RESOURCE
type: str
learn_more_link:
description:
- A link to additional information about the finding type.
returned: success
sample: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html
type: str
locations:
contains:
path:
description: A path in a policy, represented as a sequence of path elements.
elements: dict
returned: success
sample:
- value: Statement
- index: 0
- value: Resource
- index: 0
type: list
span:
contains:
end:
contains:
column:
description: The column of the position, starting from C(0).
returned: success
type: int
line:
description: The line of the position, starting from C(1).
returned: success
type: int
offset:
description: The offset within the policy that corresponds to the
position, starting from C(0).
returned: success
type: int
description: The end position of the span.
returned: success
type: dict
start:
contains:
column:
description: The column of the position, starting from C(0).
returned: success
type: int
line:
description: The line of the position, starting from C(1).
returned: success
type: int
offset:
description: The offset within the policy that corresponds to the
position, starting from C(0).
returned: success
type: int
description: The start position of the span.
returned: success
type: dict
description:
- Where in the policy the finding refers to.
- Note - when using lookups or passing dictionaries to I(policy) the policy
string may be converted to a single line of JSON, changing th column,
line and offset values.
type: dict
description:
- The location of the item resulting in the recommendations.
elements: dict
returned: success
type: list
description: The list of findings in a policy returned by IAM Access Analyzer based
on its suite of policy checks.
elements: dict
returned: success
type: list