You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 22, 2021. It is now read-only.
I notice that check 1.24 searches only locally scoped policies. I agree that this seems to satisfy the intent of the requirement, which states:
Ensure IAM policies that allow full ":" administrative privileges are not created
(emphasis on the not created).
However, the audit step doesn't say anything about local scope, and if one didn't include local scope, this requirement would not be achievable as the admin managed policy cannot be deleted. At at minimum, it does seem like the admin policy shouldn't be attached for the requirement to be satisfied. This is currently skipped in the audit.
I notice that check 1.24 searches only locally scoped policies. I agree that this seems to satisfy the intent of the requirement, which states:
(emphasis on the not created).
However, the audit step doesn't say anything about local scope, and if one didn't include local scope, this requirement would not be achievable as the admin managed policy cannot be deleted. At at minimum, it does seem like the admin policy shouldn't be attached for the requirement to be satisfied. This is currently skipped in the audit.
What are your thoughts?