[Bug]: Check failing due to IAM Roles created by AWS Control Tower and AFT with AdministratorAccess policy
jfagoagas opened this issue · comments
Discussed in #3809
Originally posted by @dmkim22-lguplus April 18, 2024
Hello,
IAM Roles created by AWS Control Tower and AFT (Account Factory for Terraform) have AdministratorAccess policy attached, and it seems "Ensure IAM AWS-Managed policies that allow full ":" administrative privileges are not attached" is failing due to this.
Should the following IAM Roles in an account be excluded from this check?
- aws-controltower-AdministratorExecutionRole
- AWSAFTExecution
- AWSAFTService
- AWSControlTowerExecution
- stacksets-exec-*
Thank you in advance.
We need to do further investigation because the check iam_aws_attached_policy_no_administrative_privileges
analyzes IAM Managed policies so the resource_id
is the policy name. So there is no quick solution for this issue as of today, we need to think about having related resources in the same findings and use the allowlist.