GitHub Action
Policy checks to validate AWS IAM policies in CloudFormation templates" Action For GitHub Actions
A GitHub Action that takes an AWS CloudFormation template, parses the IAM policies attached to IAM roles, users, groups, and resources then runs them through IAM Access Analyzer policy validation and (optionally) custom policy checks. Note that a charge is associated with each custom policy check. For more details about pricing, see IAM Access Analyzer pricing.
See action.yml for the full documentation for this action's inputs and outputs.
Inputs | Description | Options | Required | Applies To which policy-check-type | |||
---|---|---|---|---|---|---|---|
VALIDATE_POLICY | CHECK_NO_NEW_ACCESS | CHECK_ACCESS_NOT_GRANTED | CHECK_NO_PUBLIC_ACCESS | ||||
policy-check-type | Name of the policy check. Note: Each value corresponds to an IAM Access Analyzer API. - ValidatePolicy - CheckNoNewAccess - CheckAccessNotGranted - CheckNoPublicAccess |
VALIDATE_POLICY, CHECK_NO_NEW_ACCESS, CHECK_ACCESS_NOT_GRANTED, CHECK_NO_PUBLIC_ACCESS. | Yes | ✅ | ✅ | ✅ | ✅ |
template-path | The path to the CloudFormation template. | FILE_PATH.json | Yes | ✅ | ✅ | ✅ | ✅ |
region | The destination region the resources will be deployed to. | REGION | Yes | ✅ | ✅ | ✅ | ✅ |
parameters | Keys and values for CloudFormation template parameters. Only parameters that are referenced by IAM policies in the template are required. | KEY=VALUE [KEY=VALUE ...] | No | ✅ | ✅ | ✅ | ✅ |
template-configuration-file | A JSON formatted file that specifies template parameter values, a stack policy, and tags. Only parameters are used from this file. Everything else is ignored. Identical values passed in the --parameters flag override parameters in this file. See CloudFormation documentation for file format: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html. | FILE_PATH.json | No | ✅ | ✅ | ✅ | ✅ |
ignore-finding | Allow validation failures to be ignored. Specify as a comma separated list of findings to be ignored. Can be individual finding codes (e.g. "PASS_ROLE_WITH_STAR_IN_RESOURCE"), a specific resource name (e.g. "MyResource"), or a combination of both separated by a period.(e.g. "MyResource.PASS_ROLE_WITH_STAR_IN_RESOURCE"). Names of finding codes may change in IAM Access Analyzer over time. | FINDING_CODE,RESOURCE_NAME,RESOURCE_NAME.FINDING_CODE | No | ✅ | ✅ | ✅ | ✅ |
treat-findings-as-non-blocking | By default, the tool will exit with a non-zero exit code when it detects any findings. Set this flag to exit with an exit code of 0 when it detects findings. You can use this to run new checks in a shadow or log only mode before enforcing them. This attribute is considered only when policy-check-type is "CHECK_NO_NEW_ACCESS", "CHECK_ACCESS_NOT_GRANTED", or "CHECK_NO_PUBLIC_ACCESS. |
No | ❌ | ✅ | ✅ | ✅ | |
actions | List of comma-separated actions. Example format - ACTION,ACTION,ACTION. This attribute is only considered when policy-check-type is "CHECK_ACCESS_NOT_GRANTED". At least one of "actions" or "resources" must be provided |
ACTION,ACTION,ACTION | No | ❌ | ❌ | ✅ | ❌ |
resources | List of comma-separated resource ARNs. Example format - RESOURCE,RESOURCE,RESOURCE. This attribute is only considered when policy-check-type is "CHECK_ACCESS_NOT_GRANTED". At least one of "actions" or "resources" must be provided |
RESOURCE,RESOURCE,RESOURCE | No | ❌ | ❌ | ✅ | ❌ |
reference-policy | A JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. This attribute is only considered and required when policy-check-type is "CHECK_NO_NEW_ACCESS". |
FILE_PATH.json | No | ❌ | ✅ | ❌ | ❌ |
reference-policy-type | The policy type associated with the IAM policy under analysis and the reference policy. Valid values: IDENTITY, RESOURCE. This attribute is only considered and required when policy-check-type is "CHECK_NO_NEW_ACCESS" |
REFERENCE_POLICY_TYPE | No | ❌ | ✅ | ❌ | ❌ |
treat-finding-type-as-blocking | Specify which finding types should be treated as blocking. Other finding types are treated as non blocking. If the tool detects any blocking finding types, it will exit with a non-zero exit code. If all findings are non blocking or there are no findings, the tool exits with an exit code of 0. Defaults to "ERROR" and "SECURITY_WARNING". Specify as a comma separated list of finding types that should be blocking. Pass "NONE" to ignore all findings. This attribute is only considered when policy-check-type is "VALIDATE_POLICY". |
ERROR,SECURITY_WARNING,WARNING,SUGGESTION,NONE | No | ✅ | ❌ | ❌ | ❌ |
allow-external-principals | A comma separated list of external principals that should be ignored. Specify as a comma separated list of a 12 digit AWS account ID, a federated web identity user, a federated SAML user, or an ARN. Specify "*" to allow anonymous access. (e.g. 123456789123,arn:aws:iam::111111111111:role/MyOtherRole,graph.facebook.com). | ACCOUNT,ARN | No | ✅ | ❌ | ❌ | ❌ |
allow-dynamic-ref-without-version | Override the default behavior and allow dynamic SSM references without version numbers. The version number ensures that the SSM parameter value that was validated is the one that is deployed. | No | ✅ | ✅ | ✅ | ✅ | |
exclude-resource-types | List of comma-separated resource types. Resource types should be the same as Cloudformation template resource names such as AWS::IAM::Role, AWS::S3::Bucket. Valid option syntax: AWS::SERVICE::RESOURCE. | AWS::SERVICE::RESOURCE, AWS::SERVICE::RESOURCE | No | ✅ | ✅ | ✅ | ✅ |
Before each of the following examples, make sure to include the following:
- Setting up the role: Role used in the GitHub workflow should have necessary permissions required
- to be called from the GitHub workflows - setup OpenID Connect(OIDC) provider and IAM role & Trust policy as described in step 1 & 2 in this blog
- to call the AWS APIs for the policy checks - ValidatePolicy, CheckNoNewAccess, CheckAccessNotGranted, CheckNoPublicAccess. Refer this page for more details
- name: Checkout Repo
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.POLICY_VALIDATOR_ROLE }} # Role with permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted, access-analyzer:CheckNoPublicAccess
aws-region: aws-example-region
To get started quickly, add a starter workflow to the .github/workflows
directory of your repository. In order to do that, do the following -
- Navigate to
Actions
tab of the GitHub repository - Click on
New Workflow
button - Search for
Policy Validator for CloudFormation
in the search bar - Click on
Configure
button - Pass the appropriate inputs to the workflow and modify it accordingly
- Click on
Commit changes
to commit your changes - Start using the GitHub actions!
Please find the starter workflow here
- name: Run VALIDATE_POLICY Check
id: run-validate-policy
uses: aws-actions/[email protected]
with:
policy-check-type: 'VALIDATE_POLICY'
template-path: file-path-to-the-cfn-templates
region: aws-example-region
- name: Run CHECK_NO_NEW_ACCESS check
id: run-check-no-new-access
uses: aws-actions/[email protected]
with:
policy-check-type: 'CHECK_NO_NEW_ACCESS'
template-path: file-path-to-the-cfn-templates
reference-policy: file-path-to-the-reference-policy
reference-policy-type: policy-type-of-reference-policy
region: aws-example-region
- name: Run CHECK_ACCESS_NOT_GRANTED check
id: run-check-access-not-granted
uses: aws-actions/[email protected]
with:
policy-check-type: 'CHECK_ACCESS_NOT_GRANTED'
template-path: file-path-to-the-cfn-templates
actions: "action1, action2.."
resources: "resource1, resource2.."
region: aws-example-region
- name: Run CHECK_NO_PUBLIC_ACCESS check
id: run-check-no-public-access
uses: aws-actions/[email protected]
with:
policy-check-type: 'CHECK_NO_PUBLIC_ACCESS'
template-path: file-path-to-the-cfn-templates
region: aws-example-region
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.