Skip to content

Instantly share code, notes, and snippets.

@z0ph
Last active December 17, 2021 00:17
Show Gist options
  • Save z0ph/18612a1969fac6cd69dadba136d1e128 to your computer and use it in GitHub Desktop.
Save z0ph/18612a1969fac6cd69dadba136d1e128 to your computer and use it in GitHub Desktop.
AWS Access Analyzer - Policy Validation of 837 AWS Managed Policies.
==> Validation of: ./policies/TagGovernancePolicy
==> Finding: [
{
"findingDetails": "Using ForAllValues qualifier with the single-valued condition key organizations:ServicePrincipal can be overly permissive. We recommend that you remove ForAllValues:.",
"findingType": "SECURITY_WARNING",
"issueCode": "FORALLVALUES_WITH_SINGLE_VALUED_KEY",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-forallvalues-with-single-valued-key",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Condition"
},
{
"value": "ForAllValues:StringLike"
},
{
"value": "organizations:ServicePrincipal"
}
],
"span": {
"end": {
"column": 545,
"line": 1,
"offset": 545
},
"start": {
"column": 524,
"line": 1,
"offset": 524
}
}
}
]
}
]
==> Validation of: ./policies/AWSAuditManagerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTSiteWiseMonitorServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonESFullAccess
==> Finding: []
==> Validation of: ./policies/AWSDataSyncReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonEKSServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonPersonalizeFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDRSVPCManagement
==> Finding: []
==> Validation of: ./policies/AmazonEventBridgeSchemasFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRekognitionReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AdministratorAccess
==> Finding: [
{
"findingDetails": "Using wildcards (*) in the action and the resource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead.",
"findingType": "WARNING",
"issueCode": "CREATE_SLR_WITH_STAR_IN_ACTION_AND_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-action-and-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 73,
"line": 1,
"offset": 73
},
"start": {
"column": 70,
"line": 1,
"offset": 70
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 90,
"line": 1,
"offset": 90
},
"start": {
"column": 87,
"line": 1,
"offset": 87
}
}
}
]
},
{
"findingDetails": "Using wildcards (*) in the action and the resource can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_ACTION_AND_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-action-and-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 73,
"line": 1,
"offset": 73
},
"start": {
"column": 70,
"line": 1,
"offset": 70
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 90,
"line": 1,
"offset": 90
},
"start": {
"column": 87,
"line": 1,
"offset": 87
}
}
}
]
}
]
==> Validation of: ./policies/AWSElasticBeanstalkWorkerTier
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 661,
"line": 1,
"offset": 661
},
"start": {
"column": 628,
"line": 1,
"offset": 628
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 698,
"line": 1,
"offset": 698
},
"start": {
"column": 663,
"line": 1,
"offset": 663
}
}
}
]
}
]
==> Validation of: ./policies/AWSAppSyncInvokeFullAccess
==> Finding: []
==> Validation of: ./policies/EC2InstanceProfileForImageBuilderECRContainerBuilds
==> Finding: []
==> Validation of: ./policies/AWSElasticLoadBalancingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEventBridgeSchemasReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeBuildReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonCloudDirectoryFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonGlacierFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEKSClusterPolicy
==> Finding: []
==> Validation of: ./policies/AWSImageBuilderFullAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkWebTier
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 180,
"line": 1,
"offset": 180
},
"start": {
"column": 147,
"line": 1,
"offset": 147
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 217,
"line": 1,
"offset": 217
},
"start": {
"column": 182,
"line": 1,
"offset": 182
}
}
}
]
}
]
==> Validation of: ./policies/AmazonWorkLinkReadOnly
==> Finding: []
==> Validation of: ./policies/CloudFormationStackSetsOrgAdminServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambdaReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkMaintenance
==> Finding: []
==> Validation of: ./policies/AmazonAPIGatewayAdministrator
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaConvertFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEKSForFargateServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/WAFRegionalLoggingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticTranscoder_ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkMailFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRoleForLambda
==> Finding: []
==> Validation of: ./policies/AWSBackupOperatorAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: backup:GetRecoveryPointRestoreMetadata.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 84,
"line": 1,
"offset": 84
},
"start": {
"column": 71,
"line": 1,
"offset": 71
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 226,
"line": 1,
"offset": 226
},
"start": {
"column": 186,
"line": 1,
"offset": 186
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: rds:DescribeDBSnapshots.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 358,
"line": 1,
"offset": 358
},
"start": {
"column": 333,
"line": 1,
"offset": 333
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 439,
"line": 1,
"offset": 439
},
"start": {
"column": 414,
"line": 1,
"offset": 414
}
}
}
]
}
]
==> Validation of: ./policies/AWSMarketplaceMeteringFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDynamoDBFullAccesswithDataPipeline
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 810,
"line": 1,
"offset": 810
},
"start": {
"column": 796,
"line": 1,
"offset": 796
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 829,
"line": 1,
"offset": 829
},
"start": {
"column": 826,
"line": 1,
"offset": 826
}
}
}
]
}
]
==> Validation of: ./policies/SecurityAudit
==> Finding: [
{
"findingDetails": "The 13 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeTransitGatewayPeeringAttachments.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 88
}
],
"span": {
"end": {
"column": 2483,
"line": 1,
"offset": 2483
},
"start": {
"column": 2468,
"line": 1,
"offset": 2468
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 89
}
],
"span": {
"end": {
"column": 2524,
"line": 1,
"offset": 2524
},
"start": {
"column": 2485,
"line": 1,
"offset": 2485
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 90
}
],
"span": {
"end": {
"column": 2570,
"line": 1,
"offset": 2570
},
"start": {
"column": 2526,
"line": 1,
"offset": 2526
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 91
}
],
"span": {
"end": {
"column": 2618,
"line": 1,
"offset": 2618
},
"start": {
"column": 2572,
"line": 1,
"offset": 2572
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 92
}
],
"span": {
"end": {
"column": 2659,
"line": 1,
"offset": 2659
},
"start": {
"column": 2620,
"line": 1,
"offset": 2620
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 93
}
],
"span": {
"end": {
"column": 2690,
"line": 1,
"offset": 2690
},
"start": {
"column": 2661,
"line": 1,
"offset": 2661
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 94
}
],
"span": {
"end": {
"column": 2734,
"line": 1,
"offset": 2734
},
"start": {
"column": 2692,
"line": 1,
"offset": 2692
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 288
}
],
"span": {
"end": {
"column": 7968,
"line": 1,
"offset": 7968
},
"start": {
"column": 7929,
"line": 1,
"offset": 7929
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 289
}
],
"span": {
"end": {
"column": 8014,
"line": 1,
"offset": 8014
},
"start": {
"column": 7970,
"line": 1,
"offset": 7970
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 290
}
],
"span": {
"end": {
"column": 8062,
"line": 1,
"offset": 8062
},
"start": {
"column": 8016,
"line": 1,
"offset": 8016
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 291
}
],
"span": {
"end": {
"column": 8103,
"line": 1,
"offset": 8103
},
"start": {
"column": 8064,
"line": 1,
"offset": 8064
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 292
}
],
"span": {
"end": {
"column": 8134,
"line": 1,
"offset": 8134
},
"start": {
"column": 8105,
"line": 1,
"offset": 8105
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 293
}
],
"span": {
"end": {
"column": 8178,
"line": 1,
"offset": 8178
},
"start": {
"column": 8136,
"line": 1,
"offset": 8136
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:GetManagedPrefixListAssociations.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 95
}
],
"span": {
"end": {
"column": 2774,
"line": 1,
"offset": 2774
},
"start": {
"column": 2736,
"line": 1,
"offset": 2736
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 294
}
],
"span": {
"end": {
"column": 8218,
"line": 1,
"offset": 8218
},
"start": {
"column": 8180,
"line": 1,
"offset": 8180
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:GetManagedPrefixListEntries.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 96
}
],
"span": {
"end": {
"column": 2809,
"line": 1,
"offset": 2809
},
"start": {
"column": 2776,
"line": 1,
"offset": 2776
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 295
}
],
"span": {
"end": {
"column": 8253,
"line": 1,
"offset": 8253
},
"start": {
"column": 8220,
"line": 1,
"offset": 8220
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: elasticbeanstalk:DescribeApplications.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 104
}
],
"span": {
"end": {
"column": 2992,
"line": 1,
"offset": 2992
},
"start": {
"column": 2964,
"line": 1,
"offset": 2964
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 302
}
],
"span": {
"end": {
"column": 8451,
"line": 1,
"offset": 8451
},
"start": {
"column": 8412,
"line": 1,
"offset": 8412
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: sns:ListTagsForResource.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 232
}
],
"span": {
"end": {
"column": 6284,
"line": 1,
"offset": 6284
},
"start": {
"column": 6259,
"line": 1,
"offset": 6259
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 313
}
],
"span": {
"end": {
"column": 8830,
"line": 1,
"offset": 8830
},
"start": {
"column": 8805,
"line": 1,
"offset": 8805
}
}
}
]
},
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:apigateway:*::/restapis/*/resources/*/methods/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 9413,
"line": 1,
"offset": 9413
},
"start": {
"column": 9366,
"line": 1,
"offset": 9366
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 11
}
],
"span": {
"end": {
"column": 9472,
"line": 1,
"offset": 9472
},
"start": {
"column": 9415,
"line": 1,
"offset": 9415
}
}
}
]
}
]
==> Validation of: ./policies/AWSRoboMakerServicePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambdaDynamoDBExecutionRole
==> Finding: []
==> Validation of: ./policies/IAMReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSVPCS2SVpnServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMonitronFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRDSEnhancedMonitoringRole
==> Finding: []
==> Validation of: ./policies/AmazonESReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonFraudDetectorFullAccessPolicy
==> Finding: []
==> Validation of: ./policies/AmazonTimestreamFullAccess
==> Finding: []
==> Validation of: ./policies/IAMAccessAdvisorReadOnly
==> Finding: []
==> Validation of: ./policies/AWSCodeStarFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruProfilerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonRoute53FullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRoleForCloudFormation
==> Finding: []
==> Validation of: ./policies/ElementalSupportCenterFullAccess
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaStoreReadOnly
==> Finding: []
==> Validation of: ./policies/AWSKeyManagementServicePowerUser
==> Finding: []
==> Validation of: ./policies/AWSCodeCommitFullAccess
==> Finding: []
==> Validation of: ./policies/AWSBatchFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ecs:DescribeClusters.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 326,
"line": 1,
"offset": 326
},
"start": {
"column": 304,
"line": 1,
"offset": 304
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 343,
"line": 1,
"offset": 343
},
"start": {
"column": 328,
"line": 1,
"offset": 328
}
}
}
]
}
]
==> Validation of: ./policies/AmazonEC2RolePolicyForApplicationWizard
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRoleForECSLimited
==> Finding: []
==> Validation of: ./policies/AutoScalingReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CloudFormationStackSetsOrgMemberServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/DAXServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/CloudWatchReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2RoleforSSM
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerServiceforEC2Role
==> Finding: []
==> Validation of: ./policies/AWSServiceCatalogEndUserFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonCognitoIdpServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/LexBotPolicy
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRoleForECS
==> Finding: []
==> Validation of: ./policies/AWSEC2SpotFleetServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonZocaloReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTWirelessDataAccess
==> Finding: []
==> Validation of: ./policies/AWSImageBuilderReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksCMInstanceProfileRole
==> Finding: []
==> Validation of: ./policies/AmazonBraketServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonPrometheusConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AutoScalingConsoleReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ServerMigrationServiceConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoT1ClickReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSTransferFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDMSCloudWatchLogsRole
==> Finding: []
==> Validation of: ./policies/AmazonDocDBConsoleFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSecurityGroups.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 35
}
],
"span": {
"end": {
"column": 3085,
"line": 1,
"offset": 3085
},
"start": {
"column": 3057,
"line": 1,
"offset": 3057
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 36
}
],
"span": {
"end": {
"column": 3115,
"line": 1,
"offset": 3115
},
"start": {
"column": 3087,
"line": 1,
"offset": 3087
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSubnets.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 37
}
],
"span": {
"end": {
"column": 3138,
"line": 1,
"offset": 3138
},
"start": {
"column": 3117,
"line": 1,
"offset": 3117
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 38
}
],
"span": {
"end": {
"column": 3161,
"line": 1,
"offset": 3161
},
"start": {
"column": 3140,
"line": 1,
"offset": 3140
}
}
}
]
}
]
==> Validation of: ./policies/AmazonCognitoReadOnly
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForIoTSiteWise
==> Finding: []
==> Validation of: ./policies/AWSQuicksightAthenaAccess
==> Finding: []
==> Validation of: ./policies/AWSCloud9EnvironmentMember
==> Finding: []
==> Validation of: ./policies/AWSQuickSightDescribeRedshift
==> Finding: []
==> Validation of: ./policies/AWSIoTSiteWiseFullAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForMonitronPolicy
==> Finding: []
==> Validation of: ./policies/AmazonGlacierReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingRDSClusterPolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSBatchServiceEventTargetRole
==> Finding: []
==> Validation of: ./policies/AWSCodePipelineCustomActionAccess
==> Finding: []
==> Validation of: ./policies/RDSCloudHsmAuthorizationRole
==> Finding: []
==> Validation of: ./policies/AWSEnhancedClassicNetworkingMangementPolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction
==> Finding: []
==> Validation of: ./policies/AWSSystemsManagerChangeManagementServicePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMQApiReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonLexV2BotPolicy
==> Finding: []
==> Validation of: ./policies/AWSGreengrassResourceAccessRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonInspectorFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruProfilerAgentAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRole
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: autoscaling:DescribeAutoScalingGroups.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 184,
"line": 1,
"offset": 184
},
"start": {
"column": 145,
"line": 1,
"offset": 145
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 456,
"line": 1,
"offset": 456
},
"start": {
"column": 417,
"line": 1,
"offset": 417
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: autoscaling:DescribeLifecycleHooks.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 222,
"line": 1,
"offset": 222
},
"start": {
"column": 186,
"line": 1,
"offset": 186
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 13
}
],
"span": {
"end": {
"column": 616,
"line": 1,
"offset": 616
},
"start": {
"column": 580,
"line": 1,
"offset": 580
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: autoscaling:PutLifecycleHook.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 254,
"line": 1,
"offset": 254
},
"start": {
"column": 224,
"line": 1,
"offset": 224
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 21
}
],
"span": {
"end": {
"column": 913,
"line": 1,
"offset": 913
},
"start": {
"column": 883,
"line": 1,
"offset": 883
}
}
}
]
}
]
==> Validation of: ./policies/AmazonElasticContainerRegistryPublicReadOnly
==> Finding: []
==> Validation of: ./policies/EC2InstanceProfileForImageBuilder
==> Finding: []
==> Validation of: ./policies/AmazonSNSReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningManageRealTimeEndpointOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSDirectConnectFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRDSBetaServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonRoute53ResolverReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerFullAccess
==> Finding: []
==> Validation of: ./policies/AWSControlTowerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSRoboMaker_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSAppSyncPushToCloudWatchLogs
==> Finding: []
==> Validation of: ./policies/AWSConnector
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerPrivateCAUser
==> Finding: []
==> Validation of: ./policies/SupportUser
==> Finding: [
{
"findingDetails": "The 8 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeReservedInstancesModifications.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 78
}
],
"span": {
"end": {
"column": 2249,
"line": 1,
"offset": 2249
},
"start": {
"column": 2234,
"line": 1,
"offset": 2234
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 79
}
],
"span": {
"end": {
"column": 2270,
"line": 1,
"offset": 2270
},
"start": {
"column": 2251,
"line": 1,
"offset": 2251
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 80
}
],
"span": {
"end": {
"column": 2302,
"line": 1,
"offset": 2302
},
"start": {
"column": 2272,
"line": 1,
"offset": 2272
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 81
}
],
"span": {
"end": {
"column": 2326,
"line": 1,
"offset": 2326
},
"start": {
"column": 2304,
"line": 1,
"offset": 2304
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 82
}
],
"span": {
"end": {
"column": 2359,
"line": 1,
"offset": 2359
},
"start": {
"column": 2328,
"line": 1,
"offset": 2328
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 83
}
],
"span": {
"end": {
"column": 2386,
"line": 1,
"offset": 2386
},
"start": {
"column": 2361,
"line": 1,
"offset": 2361
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 84
}
],
"span": {
"end": {
"column": 2432,
"line": 1,
"offset": 2432
},
"start": {
"column": 2388,
"line": 1,
"offset": 2388
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 85
}
],
"span": {
"end": {
"column": 2452,
"line": 1,
"offset": 2452
},
"start": {
"column": 2434,
"line": 1,
"offset": 2434
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: elasticfilesystem:DescribeFileSystems.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 100
}
],
"span": {
"end": {
"column": 2887,
"line": 1,
"offset": 2887
},
"start": {
"column": 2858,
"line": 1,
"offset": 2858
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 106
}
],
"span": {
"end": {
"column": 3074,
"line": 1,
"offset": 3074
},
"start": {
"column": 3035,
"line": 1,
"offset": 3035
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: glacier:ListVaults.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 118
}
],
"span": {
"end": {
"column": 3303,
"line": 1,
"offset": 3303
},
"start": {
"column": 3283,
"line": 1,
"offset": 3283
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 122
}
],
"span": {
"end": {
"column": 3384,
"line": 1,
"offset": 3384
},
"start": {
"column": 3369,
"line": 1,
"offset": 3369
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: workspaces:Describe*.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 194
}
],
"span": {
"end": {
"column": 5041,
"line": 1,
"offset": 5041
},
"start": {
"column": 5019,
"line": 1,
"offset": 5019
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 198
}
],
"span": {
"end": {
"column": 5126,
"line": 1,
"offset": 5126
},
"start": {
"column": 5104,
"line": 1,
"offset": 5104
}
}
}
]
}
]
==> Validation of: ./policies/AWSServiceCatalogAdminFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDevOpsGuruReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSThinkboxDeadlineResourceTrackerAdminPolicy
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleSNS
==> Finding: []
==> Validation of: ./policies/AmazonPollyFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDocDBReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/NeptuneReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkEnhancedHealth
==> Finding: []
==> Validation of: ./policies/MigrationHubSMSAccessServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSResourceGroupsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonZocaloFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonHealthLakeReadOnlyAccess
==> Finding: [
{
"findingDetails": "The service healthlake:ListFHIRDatastores specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 83,
"line": 1,
"offset": 83
},
"start": {
"column": 52,
"line": 1,
"offset": 52
}
}
}
]
},
{
"findingDetails": "The service healthlake:DescribeFHIRDatastore specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 119,
"line": 1,
"offset": 119
},
"start": {
"column": 85,
"line": 1,
"offset": 85
}
}
}
]
},
{
"findingDetails": "The service healthlake:DescribeFHIRImportJob specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 155,
"line": 1,
"offset": 155
},
"start": {
"column": 121,
"line": 1,
"offset": 121
}
}
}
]
},
{
"findingDetails": "The service healthlake:DescribeFHIRExportJob specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 191,
"line": 1,
"offset": 191
},
"start": {
"column": 157,
"line": 1,
"offset": 157
}
}
}
]
},
{
"findingDetails": "The service healthlake:GetCapabilities specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 221,
"line": 1,
"offset": 221
},
"start": {
"column": 193,
"line": 1,
"offset": 193
}
}
}
]
},
{
"findingDetails": "The service healthlake:ReadResource specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 248,
"line": 1,
"offset": 248
},
"start": {
"column": 223,
"line": 1,
"offset": 223
}
}
}
]
},
{
"findingDetails": "The service healthlake:SearchWithGet specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 276,
"line": 1,
"offset": 276
},
"start": {
"column": 250,
"line": 1,
"offset": 250
}
}
}
]
},
{
"findingDetails": "The service healthlake:SearchWithPost specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 305,
"line": 1,
"offset": 305
},
"start": {
"column": 278,
"line": 1,
"offset": 278
}
}
}
]
}
]
==> Validation of: ./policies/AWSIoTWirelessFullPublishAccess
==> Finding: []
==> Validation of: ./policies/AmazonEverestServicePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEC2SpotFleetRole
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 214,
"line": 1,
"offset": 214
},
"start": {
"column": 200,
"line": 1,
"offset": 200
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 233,
"line": 1,
"offset": 233
},
"start": {
"column": 230,
"line": 1,
"offset": 230
}
}
}
]
}
]
==> Validation of: ./policies/AWSEC2SpotServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/Route53ResolverServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonAugmentedAIHumanLoopFullAccess
==> Finding: []
==> Validation of: ./policies/AWSShieldDRTAccessPolicy
==> Finding: []
==> Validation of: ./policies/GreengrassOTAUpdateArtifactAccess
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningFullAccess
==> Finding: []
==> Validation of: ./policies/WAFLoggingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTConfigAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeRouteTables.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 16
}
],
"span": {
"end": {
"column": 511,
"line": 1,
"offset": 511
},
"start": {
"column": 486,
"line": 1,
"offset": 486
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 23
}
],
"span": {
"end": {
"column": 707,
"line": 1,
"offset": 707
},
"start": {
"column": 682,
"line": 1,
"offset": 682
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 36
}
],
"span": {
"end": {
"column": 1021,
"line": 1,
"offset": 1021
},
"start": {
"column": 1007,
"line": 1,
"offset": 1007
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 1088,
"line": 1,
"offset": 1088
},
"start": {
"column": 1085,
"line": 1,
"offset": 1085
}
}
}
]
}
]
==> Validation of: ./policies/AWSPurchaseOrdersServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEC2RoleforAWSCodeDeployLimited
==> Finding: []
==> Validation of: ./policies/CloudWatchEventsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEKS_CNI_Policy
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeAvailabilityZones.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 116,
"line": 1,
"offset": 116
},
"start": {
"column": 85,
"line": 1,
"offset": 85
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 236,
"line": 1,
"offset": 236
},
"start": {
"column": 205,
"line": 1,
"offset": 205
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSecurityGroups.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 170,
"line": 1,
"offset": 170
},
"start": {
"column": 142,
"line": 1,
"offset": 142
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 266,
"line": 1,
"offset": 266
},
"start": {
"column": 238,
"line": 1,
"offset": 238
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 15
}
],
"span": {
"end": {
"column": 501,
"line": 1,
"offset": 501
},
"start": {
"column": 487,
"line": 1,
"offset": 487
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 519,
"line": 1,
"offset": 519
},
"start": {
"column": 516,
"line": 1,
"offset": 516
}
}
}
]
}
]
==> Validation of: ./policies/AWSBackupServiceRolePolicyForRestores
==> Finding: []
==> Validation of: ./policies/AmazonPrometheusFullAccess
==> Finding: []
==> Validation of: ./policies/AWSLicenseManagerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambdaENIManagementAccess
==> Finding: []
==> Validation of: ./policies/AmazonKinesisFirehoseFullAccess
==> Finding: []
==> Validation of: ./policies/AWSLambdaReplicator
==> Finding: []
==> Validation of: ./policies/AWSFMAdminFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSSMDirectoryServiceAccess
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeTeamAssociationFullAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksCloudWatchLogs
==> Finding: []
==> Validation of: ./policies/AWSSchemasServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaPackageFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMechanicalTurkCrowdReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonDMSRedshiftS3Role
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerFeatureStoreAccess
==> Finding: []
==> Validation of: ./policies/AmazonApplicationWizardFullaccess
==> Finding: [
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Resource"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 3037,
"line": 1,
"offset": 3037
},
"start": {
"column": 2992,
"line": 1,
"offset": 2992
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ssm:AddTagsToResource.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 3161,
"line": 1,
"offset": 3161
},
"start": {
"column": 3138,
"line": 1,
"offset": 3138
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 3186,
"line": 1,
"offset": 3186
},
"start": {
"column": 3163,
"line": 1,
"offset": 3163
}
}
}
]
},
{
"findingDetails": "The action ssm:RemoveTagsToResource does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 3314,
"line": 1,
"offset": 3314
},
"start": {
"column": 3288,
"line": 1,
"offset": 3288
}
}
}
]
},
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 3411,
"line": 1,
"offset": 3411
},
"start": {
"column": 3366,
"line": 1,
"offset": 3366
}
}
}
]
},
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 5949,
"line": 1,
"offset": 5949
},
"start": {
"column": 5904,
"line": 1,
"offset": 5904
}
}
}
]
},
{
"findingDetails": "Add a Region to the cloudformation resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 6
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 6101,
"line": 1,
"offset": 6101
},
"start": {
"column": 6049,
"line": 1,
"offset": 6049
}
}
}
]
}
]
==> Validation of: ./policies/CloudWatchAgentAdminPolicy
==> Finding: []
==> Validation of: ./policies/AWSThinkboxAWSPortalAdminPolicy
==> Finding: []
==> Validation of: ./policies/AWSLicenseManagerMemberAccountRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonECS_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSPrivateMarketplaceRequests
==> Finding: []
==> Validation of: ./policies/DataScientist
==> Finding: [
{
"findingDetails": "The 3 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: sns:ListSubscriptions.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 41
}
],
"span": {
"end": {
"column": 965,
"line": 1,
"offset": 965
},
"start": {
"column": 942,
"line": 1,
"offset": 942
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 42
}
],
"span": {
"end": {
"column": 983,
"line": 1,
"offset": 983
},
"start": {
"column": 967,
"line": 1,
"offset": 967
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 49
}
],
"span": {
"end": {
"column": 1108,
"line": 1,
"offset": 1108
},
"start": {
"column": 1097,
"line": 1,
"offset": 1097
}
}
}
]
}
]
==> Validation of: ./policies/AWSSSODirectoryAdministrator
==> Finding: []
==> Validation of: ./policies/DynamoDBCloudWatchContributorInsightsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSDenyAll
==> Finding: []
==> Validation of: ./policies/AWSImportExportReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeFullAccess
==> Finding: []
==> Validation of: ./policies/KafkaServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMechanicalTurkReadOnly
==> Finding: []
==> Validation of: ./policies/AWSBudgetsActionsWithAWSResourceControlAccess
==> Finding: []
==> Validation of: ./policies/CloudTrailServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/FMSServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambdaVPCAccessExecutionRole
==> Finding: []
==> Validation of: ./policies/AmazonWorkSpacesServiceAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTWirelessReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSQuickSightTimestreamPolicy
==> Finding: []
==> Validation of: ./policies/AWSAutoScalingPlansEC2AutoScalingPolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTWirelessFullAccess
==> Finding: []
==> Validation of: ./policies/AWSStorageGatewayReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonMSKFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudHSMFullAccess
==> Finding: []
==> Validation of: ./policies/AWSPanoramaGreengrassGroupRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonForecastFullAccess
==> Finding: []
==> Validation of: ./policies/CloudFrontReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSStepFunctionsFullAccess
==> Finding: []
==> Validation of: ./policies/Ec2ImageBuilderCrossAccountDistributionAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMSKReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSTrustedAdvisorReportingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceSellerProductsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSGlobalAcceleratorSLRPolicy
==> Finding: []
==> Validation of: ./policies/AmazonRedshiftQueryEditor
==> Finding: []
==> Validation of: ./policies/ComprehendFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEKSWorkerNodePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerServiceRole
==> Finding: []
==> Validation of: ./policies/AWSStorageGatewayServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCloud9User
==> Finding: []
==> Validation of: ./policies/ServiceCatalogAdminReadOnlyAccess
==> Finding: [
{
"findingDetails": "The action catalog-admin:DescribeConstraints does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 106,
"line": 1,
"offset": 106
},
"start": {
"column": 71,
"line": 1,
"offset": 71
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:DescribeListingForProduct does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 149,
"line": 1,
"offset": 149
},
"start": {
"column": 108,
"line": 1,
"offset": 108
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:DescribeListings does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 183,
"line": 1,
"offset": 183
},
"start": {
"column": 151,
"line": 1,
"offset": 151
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:DescribePortfolios does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 219,
"line": 1,
"offset": 219
},
"start": {
"column": 185,
"line": 1,
"offset": 185
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:DescribeProductVersions does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 260,
"line": 1,
"offset": 260
},
"start": {
"column": 221,
"line": 1,
"offset": 221
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:GetPortfolioCount does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 295,
"line": 1,
"offset": 295
},
"start": {
"column": 262,
"line": 1,
"offset": 262
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:GetPortfolios does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 326,
"line": 1,
"offset": 326
},
"start": {
"column": 297,
"line": 1,
"offset": 297
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:GetProductCounts does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 360,
"line": 1,
"offset": 360
},
"start": {
"column": 328,
"line": 1,
"offset": 328
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListAllPortfolioConstraints does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 8
}
],
"span": {
"end": {
"column": 405,
"line": 1,
"offset": 405
},
"start": {
"column": 362,
"line": 1,
"offset": 362
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListPortfolioConstraints does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 447,
"line": 1,
"offset": 447
},
"start": {
"column": 407,
"line": 1,
"offset": 407
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListPortfolios does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 479,
"line": 1,
"offset": 479
},
"start": {
"column": 449,
"line": 1,
"offset": 449
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListPrincipalConstraints does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 11
}
],
"span": {
"end": {
"column": 521,
"line": 1,
"offset": 521
},
"start": {
"column": 481,
"line": 1,
"offset": 481
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListProductConstraints does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 12
}
],
"span": {
"end": {
"column": 561,
"line": 1,
"offset": 561
},
"start": {
"column": 523,
"line": 1,
"offset": 523
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListResourceUsers does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 13
}
],
"span": {
"end": {
"column": 596,
"line": 1,
"offset": 596
},
"start": {
"column": 563,
"line": 1,
"offset": 563
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:ListTagsForResource does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 633,
"line": 1,
"offset": 633
},
"start": {
"column": 598,
"line": 1,
"offset": 598
}
}
}
]
},
{
"findingDetails": "The action catalog-admin:SearchListings does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 15
}
],
"span": {
"end": {
"column": 665,
"line": 1,
"offset": 665
},
"start": {
"column": 635,
"line": 1,
"offset": 635
}
}
}
]
},
{
"findingDetails": "The action servicecatalog:GetTagOptionMigrationStatus does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 28
}
],
"span": {
"end": {
"column": 987,
"line": 1,
"offset": 987
},
"start": {
"column": 943,
"line": 1,
"offset": 943
}
}
}
]
},
{
"findingDetails": "The action servicecatalog:AccountLevelDescribeRecord does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 31
}
],
"span": {
"end": {
"column": 1109,
"line": 1,
"offset": 1109
},
"start": {
"column": 1066,
"line": 1,
"offset": 1066
}
}
}
]
},
{
"findingDetails": "The action servicecatalog:AccountLevelListRecordHistory does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 32
}
],
"span": {
"end": {
"column": 1157,
"line": 1,
"offset": 1157
},
"start": {
"column": 1111,
"line": 1,
"offset": 1111
}
}
}
]
},
{
"findingDetails": "The action servicecatalog:AccountLevelScanProvisionedProducts does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 33
}
],
"span": {
"end": {
"column": 1211,
"line": 1,
"offset": 1211
},
"start": {
"column": 1159,
"line": 1,
"offset": 1159
}
}
}
]
}
]
==> Validation of: ./policies/CloudwatchApplicationInsightsServiceLinkedRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonRDSReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSChatbotServiceLinkedRolePolicy
==> Finding: []
==> Validation of: ./policies/DynamoDBKinesisReplicationServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonWorkDocsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForThorInternalDevPolicy
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingDynamoDBTablePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMobileAnalyticsFinancialReportAccess
==> Finding: []
==> Validation of: ./policies/AmazonFreeRTOSFullAccess
==> Finding: []
==> Validation of: ./policies/ComprehendMedicalFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSupportAccess
==> Finding: []
==> Validation of: ./policies/DatabaseAdministrator
==> Finding: []
==> Validation of: ./policies/AWSCloudMapFullAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingSageMakerEndpointPolicy
==> Finding: []
==> Validation of: ./policies/AmazonChimeVoiceConnectorServiceLinkedRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSQuickSightIoTAnalyticsAccess
==> Finding: []
==> Validation of: ./policies/ElementalAppliancesSoftwareReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkDocsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonRoute53DomainsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueConsoleFullAccess
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::aws-glue-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1000,
"line": 1,
"offset": 1000
},
"start": {
"column": 973,
"line": 1,
"offset": 973
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 1059,
"line": 1,
"offset": 1059
},
"start": {
"column": 1034,
"line": 1,
"offset": 1034
}
}
}
]
}
]
==> Validation of: ./policies/AWSServiceCatalogAppRegistryFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSSOReadOnly
==> Finding: []
==> Validation of: ./policies/AWSWAFReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSThinkboxDeadlineResourceTrackerAccessPolicy
==> Finding: []
==> Validation of: ./policies/AmazonS3OutpostsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTSiteWiseConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeBuildAdminAccess
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonRedshiftFullAccess
==> Finding: []
==> Validation of: ./policies/AdministratorAccess-Amplify
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 896,
"line": 1,
"offset": 896
},
"start": {
"column": 882,
"line": 1,
"offset": 882
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 4716,
"line": 1,
"offset": 4716
},
"start": {
"column": 4713,
"line": 1,
"offset": 4713
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: cognito-idp:DeleteGroup.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 66
}
],
"span": {
"end": {
"column": 2321,
"line": 1,
"offset": 2321
},
"start": {
"column": 2296,
"line": 1,
"offset": 2296
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 75
}
],
"span": {
"end": {
"column": 2617,
"line": 1,
"offset": 2617
},
"start": {
"column": 2592,
"line": 1,
"offset": 2592
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: lambda:DeleteFunction.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 81
}
],
"span": {
"end": {
"column": 2780,
"line": 1,
"offset": 2780
},
"start": {
"column": 2757,
"line": 1,
"offset": 2757
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 92
}
],
"span": {
"end": {
"column": 3068,
"line": 1,
"offset": 3068
},
"start": {
"column": 3045,
"line": 1,
"offset": 3045
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: cognito-idp:AdminDeleteUser.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 47
}
],
"span": {
"end": {
"column": 6104,
"line": 1,
"offset": 6104
},
"start": {
"column": 6075,
"line": 1,
"offset": 6075
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 49
}
],
"span": {
"end": {
"column": 6174,
"line": 1,
"offset": 6174
},
"start": {
"column": 6145,
"line": 1,
"offset": 6145
}
}
}
]
}
]
==> Validation of: ./policies/AWSStepFunctionsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonKinesisAnalyticsFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonTextractFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTSiteWiseMonitorPortalAccess
==> Finding: []
==> Validation of: ./policies/EC2FleetTimeShiftableServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonHealthLakeFullAccess
==> Finding: [
{
"findingDetails": "The service healthlake:* specified in the action does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_SERVICE_IN_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-service-in-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 66,
"line": 1,
"offset": 66
},
"start": {
"column": 52,
"line": 1,
"offset": 52
}
}
}
]
}
]
==> Validation of: ./policies/AWSIoTAnalyticsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonPrometheusQueryAccess
==> Finding: []
==> Validation of: ./policies/AWSDataSyncFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSLambdaRole
==> Finding: []
==> Validation of: ./policies/AmazonKinesisVideoStreamsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerNotebooksServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonKendraReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSTrustedAdvisorServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ServerMigrationServiceLaunchRole
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForAmazonEKSNodegroup
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 2095,
"line": 1,
"offset": 2095
},
"start": {
"column": 2081,
"line": 1,
"offset": 2081
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 2112,
"line": 1,
"offset": 2112
},
"start": {
"column": 2109,
"line": 1,
"offset": 2109
}
}
}
]
}
]
==> Validation of: ./policies/DynamoDBReplicationServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerRegistryPowerUser
==> Finding: []
==> Validation of: ./policies/AmazonEKSFargatePodExecutionRolePolicy
==> Finding: []
==> Validation of: ./policies/EC2InstanceConnect
==> Finding: []
==> Validation of: ./policies/AmazonEventBridgeReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonManagedBlockchainReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSConfigRemediationServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCloudHSMReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonMacieSetupRole
==> Finding: []
==> Validation of: ./policies/CloudWatchSyntheticsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCloud9SSMInstanceProfile
==> Finding: []
==> Validation of: ./policies/AWSProtonReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/IAMSelfManageServiceSpecificCredentials
==> Finding: []
==> Validation of: ./policies/IAMUserChangePassword
==> Finding: []
==> Validation of: ./policies/TranslateReadOnly
==> Finding: []
==> Validation of: ./policies/AWSWAFConsoleReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderEnableIoTLoggingMitigationAction
==> Finding: []
==> Validation of: ./policies/AWSWAFFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonFSxServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSHealthFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonConnect_FullAccess
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeWorkbookFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSSMAutomationRole
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessPolyDelegatedAccessPolicy
==> Finding: []
==> Validation of: ./policies/AmazonCognitoDeveloperAuthenticatedIdentities
==> Finding: []
==> Validation of: ./policies/AWSLambda_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSDeepRacerCloudFormationAccessPolicy
==> Finding: []
==> Validation of: ./policies/ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEMRFullAccessPolicy_v2
==> Finding: [
{
"findingDetails": "The action s3:ListBuckets does not exist. Did you mean s3:ListAllMyBuckets? The API called ListBuckets authorizes against the IAM action s3:ListAllMyBuckets",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Action"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 3224,
"line": 1,
"offset": 3224
},
"start": {
"column": 3208,
"line": 1,
"offset": 3208
}
}
}
]
}
]
==> Validation of: ./policies/AmazonElasticFileSystemFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonKendraFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReducePlacementGroupPolicy
==> Finding: []
==> Validation of: ./policies/AWSDataPipeline_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingAppStreamFleetPolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceRole
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 48
}
],
"span": {
"end": {
"column": 1400,
"line": 1,
"offset": 1400
},
"start": {
"column": 1386,
"line": 1,
"offset": 1386
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 75,
"line": 1,
"offset": 75
},
"start": {
"column": 72,
"line": 1,
"offset": 72
}
}
}
]
}
]
==> Validation of: ./policies/AWSApplicationAutoscalingCassandraTablePolicy
==> Finding: []
==> Validation of: ./policies/AmazonConnectServiceLinkedRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonRDSPreviewServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceEditorsRole
==> Finding: []
==> Validation of: ./policies/AWSCloudFormationReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonElastiCacheReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/IAMAccessAnalyzerReadOnlyAccess
==> Finding: [
{
"findingDetails": "The action access-analyzer:ValidatePolicy does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 152,
"line": 1,
"offset": 152
},
"start": {
"column": 120,
"line": 1,
"offset": 120
}
}
}
]
}
]
==> Validation of: ./policies/AmazonElastiCacheFullAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingEC2SpotFleetRequestPolicy
==> Finding: []
==> Validation of: ./policies/AWSConfigRoleForOrganizations
==> Finding: []
==> Validation of: ./policies/AmazonInspectorServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ElementalActivationsFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMQServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonLexReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruReviewerServiceRolePolicy
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::codeguru-reviewer-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1402,
"line": 1,
"offset": 1402
},
"start": {
"column": 1368,
"line": 1,
"offset": 1368
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 1440,
"line": 1,
"offset": 1440
},
"start": {
"column": 1404,
"line": 1,
"offset": 1404
}
}
}
]
}
]
==> Validation of: ./policies/AWSSecurityHubReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/TranslateFullAccess
==> Finding: []
==> Validation of: ./policies/AWSGrafanaAccountAdministrator
==> Finding: []
==> Validation of: ./policies/AWSCodePipeline_FullAccess
==> Finding: []
==> Validation of: ./policies/AmazonAppStreamServiceAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSubnets.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 112,
"line": 1,
"offset": 112
},
"start": {
"column": 91,
"line": 1,
"offset": 91
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 261,
"line": 1,
"offset": 261
},
"start": {
"column": 240,
"line": 1,
"offset": 240
}
}
}
]
}
]
==> Validation of: ./policies/AmazonMacieServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceSellerProductsReadOnly
==> Finding: []
==> Validation of: ./policies/AWSCodeCommitReadOnly
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: iam:ListAccessKeys.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 918,
"line": 1,
"offset": 918
},
"start": {
"column": 898,
"line": 1,
"offset": 898
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 1003,
"line": 1,
"offset": 1003
},
"start": {
"column": 983,
"line": 1,
"offset": 983
}
}
}
]
}
]
==> Validation of: ./policies/AWSApplicationAutoscalingKafkaClusterPolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticContainerRegistryPublicPowerUser
==> Finding: []
==> Validation of: ./policies/CloudWatchEventsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTDataAccess
==> Finding: []
==> Validation of: ./policies/AWSBackupServiceRolePolicyForBackup
==> Finding: []
==> Validation of: ./policies/AWS_Config_Role
==> Finding: []
==> Validation of: ./policies/LightsailExportAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueServiceNotebookRole
==> Finding: []
==> Validation of: ./policies/AWSPanoramaFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSESReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSDirectoryServiceReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessFullAccess
==> Finding: [
{
"findingDetails": "Using the iam:CreateServiceLinkedRole action with wildcards (*) in the resource can allow creation of unintended service-linked roles. We recommend that you specify resource ARNs instead.",
"findingType": "WARNING",
"issueCode": "CREATE_SLR_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 159,
"line": 1,
"offset": 159
},
"start": {
"column": 130,
"line": 1,
"offset": 130
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 196,
"line": 1,
"offset": 196
},
"start": {
"column": 193,
"line": 1,
"offset": 193
}
}
}
]
}
]
==> Validation of: ./policies/LexChannelPolicy
==> Finding: []
==> Validation of: ./policies/ServerMigrationServiceRole
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeImportImageTasks.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 1867,
"line": 1,
"offset": 1867
},
"start": {
"column": 1852,
"line": 1,
"offset": 1852
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 1999,
"line": 1,
"offset": 1999
},
"start": {
"column": 1969,
"line": 1,
"offset": 1969
}
}
}
]
}
]
==> Validation of: ./policies/AWS_ConfigRole
==> Finding: []
==> Validation of: ./policies/AWSApplicationDiscoveryAgentAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForGammaInternalAmazonEKSNodegroup
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 6
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 1933,
"line": 1,
"offset": 1933
},
"start": {
"column": 1919,
"line": 1,
"offset": 1919
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 6
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 1950,
"line": 1,
"offset": 1950
},
"start": {
"column": 1947,
"line": 1,
"offset": 1947
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 2119,
"line": 1,
"offset": 2119
},
"start": {
"column": 2105,
"line": 1,
"offset": 2105
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 7
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 2136,
"line": 1,
"offset": 2136
},
"start": {
"column": 2133,
"line": 1,
"offset": 2133
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 8
},
{
"value": "Action"
}
],
"span": {
"end": {
"column": 2305,
"line": 1,
"offset": 2305
},
"start": {
"column": 2291,
"line": 1,
"offset": 2291
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 8
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 2322,
"line": 1,
"offset": 2322
},
"start": {
"column": 2319,
"line": 1,
"offset": 2319
}
}
}
]
}
]
==> Validation of: ./policies/AutoScalingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerMechanicalTurkAccess
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruReviewerFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningRoleforRedshiftDataSource
==> Finding: []
==> Validation of: ./policies/IAMFullAccess
==> Finding: [
{
"findingDetails": "Using wildcards (*) in the action and the resource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead.",
"findingType": "WARNING",
"issueCode": "CREATE_SLR_WITH_STAR_IN_ACTION_AND_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-action-and-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 78,
"line": 1,
"offset": 78
},
"start": {
"column": 71,
"line": 1,
"offset": 71
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 436,
"line": 1,
"offset": 436
},
"start": {
"column": 433,
"line": 1,
"offset": 433
}
}
}
]
},
{
"findingDetails": "Using wildcards (*) in the action and the resource can be overly permissive because it allows iam:PassRole permissions on all resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_ACTION_AND_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-action-and-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 78,
"line": 1,
"offset": 78
},
"start": {
"column": 71,
"line": 1,
"offset": 71
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 436,
"line": 1,
"offset": 436
},
"start": {
"column": 433,
"line": 1,
"offset": 433
}
}
}
]
}
]
==> Validation of: ./policies/AmazonSSMManagedInstanceCore
==> Finding: []
==> Validation of: ./policies/AmazonQLDBConsoleFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: qldb:GetBlock.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 13
}
],
"span": {
"end": {
"column": 444,
"line": 1,
"offset": 444
},
"start": {
"column": 429,
"line": 1,
"offset": 429
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 16
}
],
"span": {
"end": {
"column": 499,
"line": 1,
"offset": 499
},
"start": {
"column": 484,
"line": 1,
"offset": 484
}
}
}
]
}
]
==> Validation of: ./policies/AWSDataLifecycleManagerServiceRole
==> Finding: []
==> Validation of: ./policies/AmazonRoute53DomainsFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonDetectiveFullAccess
==> Finding: []
==> Validation of: ./policies/ClientVPNServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/IAMAccessAnalyzerFullAccess
==> Finding: []
==> Validation of: ./policies/AWSThinkboxAssetServerPolicy
==> Finding: []
==> Validation of: ./policies/AWSDeepRacerFullAccess
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::*DeepRacer*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 391,
"line": 1,
"offset": 391
},
"start": {
"column": 365,
"line": 1,
"offset": 365
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 498,
"line": 1,
"offset": 498
},
"start": {
"column": 470,
"line": 1,
"offset": 470
}
}
}
]
},
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::*Deepracer*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 419,
"line": 1,
"offset": 419
},
"start": {
"column": 393,
"line": 1,
"offset": 393
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 528,
"line": 1,
"offset": 528
},
"start": {
"column": 500,
"line": 1,
"offset": 500
}
}
}
]
},
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::*deepracer*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 447,
"line": 1,
"offset": 447
},
"start": {
"column": 421,
"line": 1,
"offset": 421
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 558,
"line": 1,
"offset": 558
},
"start": {
"column": 530,
"line": 1,
"offset": 530
}
}
}
]
},
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::dr-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 468,
"line": 1,
"offset": 468
},
"start": {
"column": 449,
"line": 1,
"offset": 449
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 581,
"line": 1,
"offset": 581
},
"start": {
"column": 560,
"line": 1,
"offset": 560
}
}
}
]
}
]
==> Validation of: ./policies/CloudHSMServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonVPCCrossAccountNetworkInterfaceOperations
==> Finding: []
==> Validation of: ./policies/AmazonEKSVPCResourceController
==> Finding: []
==> Validation of: ./policies/AWSThinkboxDeadlineSpotEventPluginWorkerPolicy
==> Finding: []
==> Validation of: ./policies/AWSDeviceFarmFullAccess
==> Finding: []
==> Validation of: ./policies/AWSAppMeshPreviewEnvoyAccess
==> Finding: []
==> Validation of: ./policies/AmazonCloudDirectoryReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTLogging
==> Finding: []
==> Validation of: ./policies/IVSRecordToS3
==> Finding: []
==> Validation of: ./policies/AWSAuditManagerAdministratorAccess
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeTeamAssociationReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonRedshiftReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIQPermissionServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLakeFormationCrossAccountManager
==> Finding: []
==> Validation of: ./policies/AWSCompromisedKeyQuarantine
==> Finding: []
==> Validation of: ./policies/AmazonSSMReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonGuardDutyServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningRealTimePredictionOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceProcurementSystemAdminFullAccess
==> Finding: []
==> Validation of: ./policies/SecretsManagerReadWrite
==> Finding: []
==> Validation of: ./policies/AmazonElasticsearchServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/NeptuneConsoleFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:CreateVpcEndpoint.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 22
}
],
"span": {
"end": {
"column": 2858,
"line": 1,
"offset": 2858
},
"start": {
"column": 2835,
"line": 1,
"offset": 2835
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 23
}
],
"span": {
"end": {
"column": 2883,
"line": 1,
"offset": 2883
},
"start": {
"column": 2860,
"line": 1,
"offset": 2860
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeAccountAttributes.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 24
}
],
"span": {
"end": {
"column": 2916,
"line": 1,
"offset": 2916
},
"start": {
"column": 2885,
"line": 1,
"offset": 2885
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 25
}
],
"span": {
"end": {
"column": 2949,
"line": 1,
"offset": 2949
},
"start": {
"column": 2918,
"line": 1,
"offset": 2918
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeAvailabilityZones.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 27
}
],
"span": {
"end": {
"column": 3007,
"line": 1,
"offset": 3007
},
"start": {
"column": 2976,
"line": 1,
"offset": 2976
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 28
}
],
"span": {
"end": {
"column": 3040,
"line": 1,
"offset": 3040
},
"start": {
"column": 3009,
"line": 1,
"offset": 3009
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSecurityGroups.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 36
}
],
"span": {
"end": {
"column": 3280,
"line": 1,
"offset": 3280
},
"start": {
"column": 3252,
"line": 1,
"offset": 3252
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 37
}
],
"span": {
"end": {
"column": 3310,
"line": 1,
"offset": 3310
},
"start": {
"column": 3282,
"line": 1,
"offset": 3282
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeSubnets.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 38
}
],
"span": {
"end": {
"column": 3333,
"line": 1,
"offset": 3333
},
"start": {
"column": 3312,
"line": 1,
"offset": 3312
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 39
}
],
"span": {
"end": {
"column": 3356,
"line": 1,
"offset": 3356
},
"start": {
"column": 3335,
"line": 1,
"offset": 3335
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeVpcAttribute.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 40
}
],
"span": {
"end": {
"column": 3384,
"line": 1,
"offset": 3384
},
"start": {
"column": 3358,
"line": 1,
"offset": 3358
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 41
}
],
"span": {
"end": {
"column": 3412,
"line": 1,
"offset": 3412
},
"start": {
"column": 3386,
"line": 1,
"offset": 3386
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeVpcs.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 43
}
],
"span": {
"end": {
"column": 3460,
"line": 1,
"offset": 3460
},
"start": {
"column": 3442,
"line": 1,
"offset": 3442
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 44
}
],
"span": {
"end": {
"column": 3480,
"line": 1,
"offset": 3480
},
"start": {
"column": 3462,
"line": 1,
"offset": 3462
}
}
}
]
}
]
==> Validation of: ./policies/AwsGlueDataBrewFullAccessPolicy
==> Finding: []
==> Validation of: ./policies/AWSAppMeshFullAccess
==> Finding: []
==> Validation of: ./policies/AWSLambdaKinesisExecutionRole
==> Finding: []
==> Validation of: ./policies/AWSBatchServiceRole
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkCustomPlatformforEC2Role
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1006,
"line": 1,
"offset": 1006
},
"start": {
"column": 973,
"line": 1,
"offset": 973
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 1043,
"line": 1,
"offset": 1043
},
"start": {
"column": 1008,
"line": 1,
"offset": 1008
}
}
}
]
}
]
==> Validation of: ./policies/AWSMobileHub_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudHSMRole
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaLiveReadOnly
==> Finding: []
==> Validation of: ./policies/SimpleWorkflowFullAccess
==> Finding: []
==> Validation of: ./policies/AWSProtonFullAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceRead-only
==> Finding: []
==> Validation of: ./policies/AWSDataPipeline_PowerUser
==> Finding: []
==> Validation of: ./policies/AmazonLambdaRolePolicyForLaunchWizardSAP
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningBatchPredictionsAccess
==> Finding: []
==> Validation of: ./policies/AWSNetworkManagerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/PowerUserAccess
==> Finding: [
{
"findingDetails": "Using the iam:CreateServiceLinkedRole action with wildcards (*) in the resource can allow creation of unintended service-linked roles. We recommend that you specify resource ARNs instead.",
"findingType": "WARNING",
"issueCode": "CREATE_SLR_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 194,
"line": 1,
"offset": 194
},
"start": {
"column": 165,
"line": 1,
"offset": 165
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 321,
"line": 1,
"offset": 321
},
"start": {
"column": 318,
"line": 1,
"offset": 318
}
}
}
]
}
]
==> Validation of: ./policies/AWSElementalMediaLiveFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIQContractServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceGetEntitlements
==> Finding: []
==> Validation of: ./policies/AmazonAPIGatewayInvokeFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSecurityHubServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSAccountUsageReportAccess
==> Finding: []
==> Validation of: ./policies/AWSCodePipeline_ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSLambdaMSKExecutionRole
==> Finding: []
==> Validation of: ./policies/AmazonConnectReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemClientFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudFrontLogger
==> Finding: []
==> Validation of: ./policies/AWSSavingsPlansFullAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceSellerFullAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingECSServicePolicy
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingEMRInstanceGroupPolicy
==> Finding: []
==> Validation of: ./policies/ElementalAppliancesSoftwareFullAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkFullAccess
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 16
}
],
"span": {
"end": {
"column": 311,
"line": 1,
"offset": 311
},
"start": {
"column": 297,
"line": 1,
"offset": 297
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 617,
"line": 1,
"offset": 617
},
"start": {
"column": 614,
"line": 1,
"offset": 614
}
}
}
]
}
]
==> Validation of: ./policies/AmazonEventBridgeSchemasServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonFISServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerGroundTruthExecution
==> Finding: []
==> Validation of: ./policies/CloudWatchEventsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ResourceGroupsandTagEditorReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonManagedBlockchainConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEMRServicePolicy_v2
==> Finding: []
==> Validation of: ./policies/AmazonAPIGatewayPushToCloudWatchLogs
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleECS
==> Finding: []
==> Validation of: ./policies/AWSArtifactAccountSync
==> Finding: []
==> Validation of: ./policies/CloudWatchApplicationInsightsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerPrivateCAFullAccess
==> Finding: []
==> Validation of: ./policies/ServerMigrationServiceRoleForInstanceValidation
==> Finding: []
==> Validation of: ./policies/NeptuneFullAccess
==> Finding: []
==> Validation of: ./policies/S3StorageLensServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSBackupServiceLinkedRolePolicyForBackup
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForLogDeliveryPolicy
==> Finding: []
==> Validation of: ./policies/AWSOrganizationsFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemClientReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonDocDBFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSavingsPlansReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ElasticLoadBalancingReadOnly
==> Finding: []
==> Validation of: ./policies/ElasticLoadBalancingFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTWirelessGatewayCertManager
==> Finding: []
==> Validation of: ./policies/AmazonFSxReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueSchemaRegistryReadonlyAccess
==> Finding: []
==> Validation of: ./policies/AWSProtonDeveloperAccess
==> Finding: []
==> Validation of: ./policies/AWSDataExchangeProviderFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderAudit
==> Finding: []
==> Validation of: ./policies/AWSIoTFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeArtifactAdminAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTAnalyticsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceImageBuildFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSNSFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRoute53AutoNamingReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksCMServiceRole
==> Finding: []
==> Validation of: ./policies/AmazonEC2FullAccess
==> Finding: []
==> Validation of: ./policies/AWSOutpostsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerServiceAutoscaleRole
==> Finding: []
==> Validation of: ./policies/CloudWatchAutomaticDashboardsAccess
==> Finding: []
==> Validation of: ./policies/AmazonRDSServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonLexFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEventBridgeFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMobileAnalyticsNon-financialReportAccess
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaConvertReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonQLDBFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: qldb:GetBlock.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 13
}
],
"span": {
"end": {
"column": 444,
"line": 1,
"offset": 444
},
"start": {
"column": 429,
"line": 1,
"offset": 429
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 16
}
],
"span": {
"end": {
"column": 499,
"line": 1,
"offset": 499
},
"start": {
"column": 484,
"line": 1,
"offset": 484
}
}
}
]
}
]
==> Validation of: ./policies/AmazonWorkMailMessageFlowReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ReadOnlyAccess
==> Finding: [
{
"findingDetails": "The 15745 characters in the identity policy, excluding whitespace, exceed the 10240 character maximum for inline and managed policies. We recommend that you use multiple granular policies.",
"findingType": "WARNING",
"issueCode": "POLICY_SIZE_EXCEEDS_IDENTITY_POLICY_QUOTA",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-policy-size-exceeds-identity-policy-quota",
"locations": []
},
{
"findingDetails": "The action access-analyzer:ValidatePolicy does not exist.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 15
}
],
"span": {
"end": {
"column": 558,
"line": 1,
"offset": 558
},
"start": {
"column": 526,
"line": 1,
"offset": 526
}
}
}
]
}
]
==> Validation of: ./policies/AWSIoTDeviceDefenderUpdateCACertMitigationAction
==> Finding: []
==> Validation of: ./policies/AWSResourceAccessManagerResourceShareParticipantAccess
==> Finding: []
==> Validation of: ./policies/AWSLambdaExecute
==> Finding: []
==> Validation of: ./policies/AmazonChimeSDK
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderUpdateDeviceCertMitigationAction
==> Finding: []
==> Validation of: ./policies/AutoScalingConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AWSConfigServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonKinesisAnalyticsReadOnly
==> Finding: []
==> Validation of: ./policies/AWSCloudTrail_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSDeepLensLambdaFunctionAccessPolicy
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::deeplens*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 177,
"line": 1,
"offset": 177
},
"start": {
"column": 151,
"line": 1,
"offset": 151
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 203,
"line": 1,
"offset": 203
},
"start": {
"column": 179,
"line": 1,
"offset": 179
}
}
}
]
}
]
==> Validation of: ./policies/AWSLambdaReplicatorInternal
==> Finding: []
==> Validation of: ./policies/ApplicationAutoScalingForAmazonAppStreamAccess
==> Finding: []
==> Validation of: ./policies/AWSForWordPressPluginPolicy
==> Finding: []
==> Validation of: ./policies/AWSCodeArtifactReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSQuickSightListIAM
==> Finding: []
==> Validation of: ./policies/AmazonHoneycodeWorkbookReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSSSODirectoryReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonAppStreamReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueConsoleSageMakerNotebookFullAccess
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::aws-glue-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1200,
"line": 1,
"offset": 1200
},
"start": {
"column": 1173,
"line": 1,
"offset": 1173
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 1259,
"line": 1,
"offset": 1259
},
"start": {
"column": 1234,
"line": 1,
"offset": 1234
}
}
}
]
},
{
"findingDetails": "The request context key aws:TagKeys has multiple values. Use the ForAllValues or ForAnyValue condition key qualifiers in your policy.",
"findingType": "ERROR",
"issueCode": "MISSING_QUALIFIER",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-qualifier",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 9
},
{
"value": "Condition"
},
{
"value": "StringEquals"
},
{
"value": "aws:TagKeys"
}
],
"span": {
"end": {
"column": 3081,
"line": 1,
"offset": 3081
},
"start": {
"column": 3069,
"line": 1,
"offset": 3069
}
}
}
]
},
{
"findingDetails": "Your condition value includes a * or ? character. If you meant to use a wildcard (*, ?), update the condition operator to include Like.",
"findingType": "WARNING",
"issueCode": "WILDCARD_WITHOUT_LIKE_OPERATOR",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-wildcard-without-like-operator",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 9
},
{
"value": "Condition"
},
{
"value": "StringEquals"
},
{
"value": "aws:TagKeys"
}
],
"span": {
"end": {
"column": 3081,
"line": 1,
"offset": 3081
},
"start": {
"column": 3069,
"line": 1,
"offset": 3069
}
}
}
]
}
]
==> Validation of: ./policies/ServiceQuotasFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSecurityHubFullAccess
==> Finding: []
==> Validation of: ./policies/AWSTransferReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ComprehendDataAccessRolePolicy
==> Finding: []
==> Validation of: ./policies/ServiceQuotasServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSGrafanaConsoleReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CloudSearchReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSXrayWriteOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceTesterForFreeRTOSFullAccess
==> Finding: []
==> Validation of: ./policies/AWSBackupFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkMailMessageFlowFullAccess
==> Finding: []
==> Validation of: ./policies/AWSConfigMultiAccountSetupPolicy
==> Finding: []
==> Validation of: ./policies/CloudWatchFullAccess
==> Finding: []
==> Validation of: ./policies/CloudWatchLogsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForImageBuilder
==> Finding: []
==> Validation of: ./policies/AmazonESCognitoAccess
==> Finding: []
==> Validation of: ./policies/AmazonSQSReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ComprehendReadOnly
==> Finding: []
==> Validation of: ./policies/AWSLambdaSQSQueueExecutionRole
==> Finding: []
==> Validation of: ./policies/AmazonMQApiFullAccess
==> Finding: []
==> Validation of: ./policies/ComputeOptimizerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerPrivateCAPrivilegedUser
==> Finding: []
==> Validation of: ./policies/AmazonMacieServiceRole
==> Finding: []
==> Validation of: ./policies/AWSSSOMemberAccountAdministrator
==> Finding: []
==> Validation of: ./policies/AWSThinkboxDeadlineSpotEventPluginAdminPolicy
==> Finding: []
==> Validation of: ./policies/WAFV2LoggingServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkManagedUpdatesServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSAgentlessDiscoveryService
==> Finding: []
==> Validation of: ./policies/AWSWAFConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningCreateOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueSchemaRegistryFullAccess
==> Finding: []
==> Validation of: ./policies/AWSConfigUserAccess
==> Finding: []
==> Validation of: ./policies/AWSAppSyncSchemaAuthor
==> Finding: []
==> Validation of: ./policies/AWSConfigRole
==> Finding: []
==> Validation of: ./policies/AWSAppMeshReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonS3FullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRoute53AutoNamingRegistrantAccess
==> Finding: []
==> Validation of: ./policies/CloudWatchApplicationInsightsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTRuleActions
==> Finding: []
==> Validation of: ./policies/AWSElasticLoadBalancingClassicServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonWorkLinkFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkLinkServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSGreengrassFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2RoleforDataPipelineRole
==> Finding: []
==> Validation of: ./policies/AWSNetworkManagerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonTextractServiceRole
==> Finding: []
==> Validation of: ./policies/AmazonAppStreamFullAccess
==> Finding: []
==> Validation of: ./policies/AWSDataPipelineRole
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeNetworkInterfaces.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 433,
"line": 1,
"offset": 433
},
"start": {
"column": 418,
"line": 1,
"offset": 418
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 25
}
],
"span": {
"end": {
"column": 738,
"line": 1,
"offset": 738
},
"start": {
"column": 707,
"line": 1,
"offset": 707
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 36
}
],
"span": {
"end": {
"column": 1012,
"line": 1,
"offset": 1012
},
"start": {
"column": 998,
"line": 1,
"offset": 998
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1460,
"line": 1,
"offset": 1460
},
"start": {
"column": 1457,
"line": 1,
"offset": 1457
}
}
}
]
}
]
==> Validation of: ./policies/AWSPanoramaServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessDeviceSetup
==> Finding: []
==> Validation of: ./policies/AWSBudgetsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSGreengrassReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTOTAUpdate
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCodeArtifactReadOnlyAccess.json
==> Finding: []
==> Validation of: ./policies/AWSBudgetsActionsRolePolicyForResourceAdministrationWithSSM
==> Finding: []
==> Validation of: ./policies/AmazonDynamoDBReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonManagedBlockchainServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForCodeGuruProfiler
==> Finding: []
==> Validation of: ./policies/IAMUserSSHKeys
==> Finding: []
==> Validation of: ./policies/AmazonTranscribeFullAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorks_FullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEMRCleanupPolicy
==> Finding: []
==> Validation of: ./policies/WellArchitectedConsoleReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CloudWatch-CrossAccountAccess
==> Finding: []
==> Validation of: ./policies/AmazonInspectorReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonVPCReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CheesepuffsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCloud9Administrator
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkReadOnly
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessGatewayExecution
==> Finding: []
==> Validation of: ./policies/AWSRoboMakerFullAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceCatalogAdminReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeStarServiceRole
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::aws-codestar-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1074,
"line": 1,
"offset": 1074
},
"start": {
"column": 1045,
"line": 1,
"offset": 1045
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 1107,
"line": 1,
"offset": 1107
},
"start": {
"column": 1076,
"line": 1,
"offset": 1076
}
}
}
]
},
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Resource"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 1142,
"line": 1,
"offset": 1142
},
"start": {
"column": 1109,
"line": 1,
"offset": 1109
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Resource"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 1179,
"line": 1,
"offset": 1179
},
"start": {
"column": 1144,
"line": 1,
"offset": 1144
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:RunInstances.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 1337,
"line": 1,
"offset": 1337
},
"start": {
"column": 1319,
"line": 1,
"offset": 1319
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 8
}
],
"span": {
"end": {
"column": 1382,
"line": 1,
"offset": 1382
},
"start": {
"column": 1375,
"line": 1,
"offset": 1375
}
}
}
]
}
]
==> Validation of: ./policies/AWSMigrationHubSMSAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerServiceEventsRole
==> Finding: []
==> Validation of: ./policies/AWSIoTThingsRegistration
==> Finding: []
==> Validation of: ./policies/AmazonKeyspacesFullAccess
==> Finding: []
==> Validation of: ./policies/CloudWatchActionsEC2Access
==> Finding: []
==> Validation of: ./policies/AWSOrganizationsServiceTrustPolicy
==> Finding: [
{
"findingDetails": "Using the iam:CreateServiceLinkedRole action with wildcards (*) in the resource can allow creation of unintended service-linked roles. We recommend that you specify resource ARNs instead.",
"findingType": "WARNING",
"issueCode": "CREATE_SLR_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 338,
"line": 1,
"offset": 338
},
"start": {
"column": 309,
"line": 1,
"offset": 309
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 356,
"line": 1,
"offset": 356
},
"start": {
"column": 353,
"line": 1,
"offset": 353
}
}
}
]
}
]
==> Validation of: ./policies/AWSPrivateMarketplaceAdminFullAccess
==> Finding: []
==> Validation of: ./policies/AWSMigrationHubDiscoveryAccess
==> Finding: []
==> Validation of: ./policies/AmazonSNSRole
==> Finding: []
==> Validation of: ./policies/AWSCloudMapRegisterInstanceAccess
==> Finding: []
==> Validation of: ./policies/AWSFMMemberReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:DescribeAccountAttributes.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 409,
"line": 1,
"offset": 409
},
"start": {
"column": 378,
"line": 1,
"offset": 378
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 13
}
],
"span": {
"end": {
"column": 494,
"line": 1,
"offset": 494
},
"start": {
"column": 463,
"line": 1,
"offset": 463
}
}
}
]
}
]
==> Validation of: ./policies/AmazonCognitoIdpEmailServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonWorkMailReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonVPCFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:CreateNetworkAcl.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 24
}
],
"span": {
"end": {
"column": 788,
"line": 1,
"offset": 788
},
"start": {
"column": 766,
"line": 1,
"offset": 766
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 25
}
],
"span": {
"end": {
"column": 812,
"line": 1,
"offset": 812
},
"start": {
"column": 790,
"line": 1,
"offset": 790
}
}
}
]
}
]
==> Validation of: ./policies/AmazonKinesisFirehoseReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonRedshiftDataFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonKinesisFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTSiteWiseReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonMQFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodePipelineReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonKinesisReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSThinkboxAWSPortalGatewayPolicy
==> Finding: []
==> Validation of: ./policies/AWSAppSyncServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSSMFullAccess
==> Finding: []
==> Validation of: ./policies/AutoScalingNotificationAccessRole
==> Finding: []
==> Validation of: ./policies/AWSLambdaBasicExecutionRole
==> Finding: []
==> Validation of: ./policies/AmazonRDSFullAccess
==> Finding: []
==> Validation of: ./policies/ServiceCatalogEndUserAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployDeployerAccess
==> Finding: []
==> Validation of: ./policies/AWSTransferLoggingAccess
==> Finding: []
==> Validation of: ./policies/MigrationHubServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderAddThingsToThingGroupMitigationAction
==> Finding: []
==> Validation of: ./policies/AmazonSESFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSecurityHubOrganizationsAccess
==> Finding: []
==> Validation of: ./policies/LakeFormationDataAccessServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerFullAccess
==> Finding: []
==> Validation of: ./policies/GlobalAcceleratorFullAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleCore
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-env-resources-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 6
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1984,
"line": 1,
"offset": 1984
},
"start": {
"column": 1949,
"line": 1,
"offset": 1949
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 6
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 2035,
"line": 1,
"offset": 2035
},
"start": {
"column": 1986,
"line": 1,
"offset": 1986
}
}
}
]
}
]
==> Validation of: ./policies/AmazonElasticTranscoderRole
==> Finding: []
==> Validation of: ./policies/AmazonLaunchWizard_Fullaccess
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::launchwizard*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 23
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 8081,
"line": 1,
"offset": 8081
},
"start": {
"column": 8053,
"line": 1,
"offset": 8053
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 23
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 8113,
"line": 1,
"offset": 8113
},
"start": {
"column": 8083,
"line": 1,
"offset": 8083
}
}
}
]
}
]
==> Validation of: ./policies/AmazonQLDBReadOnly
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: qldb:GetBlock.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 289,
"line": 1,
"offset": 289
},
"start": {
"column": 274,
"line": 1,
"offset": 274
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 10
}
],
"span": {
"end": {
"column": 344,
"line": 1,
"offset": 344
},
"start": {
"column": 329,
"line": 1,
"offset": 329
}
}
}
]
}
]
==> Validation of: ./policies/AmazonCognitoPowerUser
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: iam:ListRoles.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 143,
"line": 1,
"offset": 143
},
"start": {
"column": 128,
"line": 1,
"offset": 128
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 8
}
],
"span": {
"end": {
"column": 275,
"line": 1,
"offset": 275
},
"start": {
"column": 260,
"line": 1,
"offset": 260
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: iam:ListOpenIdConnectProviders.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 4
}
],
"span": {
"end": {
"column": 177,
"line": 1,
"offset": 177
},
"start": {
"column": 145,
"line": 1,
"offset": 145
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 258,
"line": 1,
"offset": 258
},
"start": {
"column": 226,
"line": 1,
"offset": 226
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: sns:ListPlatformApplications.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 209,
"line": 1,
"offset": 209
},
"start": {
"column": 179,
"line": 1,
"offset": 179
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 422,
"line": 1,
"offset": 422
},
"start": {
"column": 392,
"line": 1,
"offset": 392
}
}
}
]
}
]
==> Validation of: ./policies/SystemAdministrator
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:Allocate*.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 28
}
],
"span": {
"end": {
"column": 629,
"line": 1,
"offset": 629
},
"start": {
"column": 614,
"line": 1,
"offset": 614
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 31
}
],
"span": {
"end": {
"column": 697,
"line": 1,
"offset": 697
},
"start": {
"column": 682,
"line": 1,
"offset": 682
}
}
}
]
}
]
==> Validation of: ./policies/AmazonDevOpsGuruServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerPrivateCAReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonFSxConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRekognitionServiceRole
==> Finding: []
==> Validation of: ./policies/AWSDirectoryServiceFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSSOServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/QuickSightAccessForS3StorageManagementAnalyticsReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerRegistryFullAccess
==> Finding: []
==> Validation of: ./policies/GameLiftGameServerGroupPolicy
==> Finding: []
==> Validation of: ./policies/AmazonS3OutpostsFullAccess
==> Finding: []
==> Validation of: ./policies/AutoScalingFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2ReportsAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForCloudWatchAlarmsActionSSMServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ElastiCacheServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCloudTrailReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingLambdaConcurrencyPolicy
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForCodeGuru-Profiler
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessLifesizeDelegatedAccessPolicy
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksRegisterCLI_OnPremises
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerEdgeDeviceFleetPolicy
==> Finding: []
==> Validation of: ./policies/MigrationHubDMSAccessServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambda_ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonKinesisVideoStreamsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodePipelineApproverAccess
==> Finding: []
==> Validation of: ./policies/AWSBillingReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerCoreServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonGuardDutyFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruReviewerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSThinkboxAWSPortalWorkerPolicy
==> Finding: []
==> Validation of: ./policies/AmazonMacieHandshakeRole
==> Finding: []
==> Validation of: ./policies/AmazonMechanicalTurkCrowdFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudShellFullAccess
==> Finding: []
==> Validation of: ./policies/AWSQuickSightDescribeRDS
==> Finding: []
==> Validation of: ./policies/AmazonAppFlowReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudMapReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonChimeFullAccess
==> Finding: []
==> Validation of: ./policies/AWSAppMeshServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceAmiIngestion
==> Finding: []
==> Validation of: ./policies/AWSPriceListServiceFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonPollyReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonAugmentedAIFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTWirelessLogging
==> Finding: []
==> Validation of: ./policies/AmazonSSMPatchAssociation
==> Finding: []
==> Validation of: ./policies/AWSBackupServiceLinkedRolePolicyForBackupTest
==> Finding: []
==> Validation of: ./policies/AWSIoTEventsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkSpacesApplicationManagerAdminAccess
==> Finding: []
==> Validation of: ./policies/AWSNetworkManagerFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonFSxFullAccess
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerReadOnly
==> Finding: []
==> Validation of: ./policies/AWSNetworkFirewallServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTFleetHubFederationAccess
==> Finding: []
==> Validation of: ./policies/AWSMigrationHubDMSAccess
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaPackageReadOnly
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleCWL
==> Finding: []
==> Validation of: ./policies/AWSDataExchangeFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningRoleforRedshiftDataSourceV2
==> Finding: []
==> Validation of: ./policies/AmazonElasticTranscoder_JobsSubmitter
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkService
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::elasticbeanstalk-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 559,
"line": 1,
"offset": 559
},
"start": {
"column": 526,
"line": 1,
"offset": 526
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 596,
"line": 1,
"offset": 596
},
"start": {
"column": 561,
"line": 1,
"offset": 561
}
}
}
]
},
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Action"
},
{
"index": 72
}
],
"span": {
"end": {
"column": 3368,
"line": 1,
"offset": 3368
},
"start": {
"column": 3354,
"line": 1,
"offset": 3354
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 4
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 3887,
"line": 1,
"offset": 3887
},
"start": {
"column": 3884,
"line": 1,
"offset": 3884
}
}
}
]
}
]
==> Validation of: ./policies/AWSImportExportFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonS3ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonLexRunBotsOnly
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceforEC2Role
==> Finding: []
==> Validation of: ./policies/AWSStepFunctionsConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/FSxDeleteServiceLinkedRoleAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticMapReduceforAutoScalingRole
==> Finding: []
==> Validation of: ./policies/AWSB9InternalServicePolicy
==> Finding: []
==> Validation of: ./policies/AmazonKeyspacesReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSBackupOperatorPolicy
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: backup:GetRecoveryPointRestoreMetadata.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 84,
"line": 1,
"offset": 84
},
"start": {
"column": 71,
"line": 1,
"offset": 71
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 226,
"line": 1,
"offset": 226
},
"start": {
"column": 186,
"line": 1,
"offset": 186
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: rds:DescribeDBSnapshots.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 335,
"line": 1,
"offset": 335
},
"start": {
"column": 310,
"line": 1,
"offset": 310
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 416,
"line": 1,
"offset": 416
},
"start": {
"column": 391,
"line": 1,
"offset": 391
}
}
}
]
}
]
==> Validation of: ./policies/AWSLakeFormationDataAdmin
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: glue:GetWorkflow.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 17
}
],
"span": {
"end": {
"column": 460,
"line": 1,
"offset": 460
},
"start": {
"column": 442,
"line": 1,
"offset": 442
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 23
}
],
"span": {
"end": {
"column": 600,
"line": 1,
"offset": 600
},
"start": {
"column": 582,
"line": 1,
"offset": 582
}
}
}
]
}
]
==> Validation of: ./policies/AWSGlueDataBrewServiceRole
==> Finding: []
==> Validation of: ./policies/CloudWatchSyntheticsFullAccess
==> Finding: [
{
"findingDetails": "The action s3:PutBucketEncryption does not exist. Did you mean s3:PutEncryptionConfiguration? The API called PutBucketEncryption authorizes against the IAM action s3:PutEncryptionConfiguration.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 180,
"line": 1,
"offset": 180
},
"start": {
"column": 156,
"line": 1,
"offset": 156
}
}
}
]
},
{
"findingDetails": "The action lambda:GetLayerVersionByArn does not exist. Did you mean lambda:GetLayerVersion? The API called GetLayerVersionByArn authorizes against the IAM action lambda:GetLayerVersion.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 11
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 1679,
"line": 1,
"offset": 1679
},
"start": {
"column": 1650,
"line": 1,
"offset": 1650
}
}
}
]
}
]
==> Validation of: ./policies/ECRReplicationServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonSSMServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMobileAnalyticsWriteOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudTrailFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2SpotFleetTaggingRole
==> Finding: []
==> Validation of: ./policies/AWSResourceAccessManagerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceTesterForGreengrassFullAccess
==> Finding: []
==> Validation of: ./policies/AWSDataExchangeSubscriberFullAccess
==> Finding: []
==> Validation of: ./policies/BatchServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/TagPoliciesServiceRolePolicy
==> Finding: [
{
"findingDetails": "Using ForAllValues qualifier with the single-valued condition key organizations:ServicePrincipal can be overly permissive. We recommend that you remove ForAllValues:.",
"findingType": "SECURITY_WARNING",
"issueCode": "FORALLVALUES_WITH_SINGLE_VALUED_KEY",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-forallvalues-with-single-valued-key",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Condition"
},
{
"value": "ForAllValues:StringLike"
},
{
"value": "organizations:ServicePrincipal"
}
],
"span": {
"end": {
"column": 517,
"line": 1,
"offset": 517
},
"start": {
"column": 484,
"line": 1,
"offset": 484
}
}
}
]
}
]
==> Validation of: ./policies/AWSDeepRacerRoboMakerAccessPolicy
==> Finding: []
==> Validation of: ./policies/AmazonMCSReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSXrayFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodePipelineFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonPrometheusRemoteWriteAccess
==> Finding: []
==> Validation of: ./policies/Health_OrganizationsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSIoTDeviceDefenderReplaceDefaultPolicyMitigationAction
==> Finding: []
==> Validation of: ./policies/AWSSupportServiceRolePolicy
An error occurred (ValidationException) when calling the ValidatePolicy operation: InvalidPolicy
==> Finding: []
==> Validation of: ./policies/AmazonChimeUserManagement
==> Finding: []
==> Validation of: ./policies/AWSMigrationHubFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonECSTaskExecutionRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMachineLearningRoleforRedshiftDataSourceV3
==> Finding: []
==> Validation of: ./policies/AWSGrafanaWorkspacePermissionManagement
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceManageSubscriptions
==> Finding: []
==> Validation of: ./policies/AWSAppMeshEnvoyAccess
==> Finding: []
==> Validation of: ./policies/CloudWatchLogsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSGlueServiceRole
==> Finding: []
==> Validation of: ./policies/AmazonWorkSpacesSelfServiceAccess
==> Finding: []
==> Validation of: ./policies/AWSDirectConnectReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ElementalActivationsDownloadSoftwareAccess
==> Finding: []
==> Validation of: ./policies/AmazonFreeRTOSOTAUpdate
==> Finding: []
==> Validation of: ./policies/AWSApplicationDiscoveryServiceFullAccess
==> Finding: []
==> Validation of: ./policies/AWSIoT1ClickFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonTranscribeReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCloud9ServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSResourceAccessManagerFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonECSServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCloudFormationFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSQSFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEventBridgeApiDestinationsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSDataExchangeReadOnly
==> Finding: []
==> Validation of: ./policies/CloudWatchLambdaInsightsExecutionRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSSystemsManagerAccountDiscoveryServicePolicy
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceMeteringRegisterUsage
==> Finding: []
==> Validation of: ./policies/AWSQuickSightElasticsearchPolicy
==> Finding: []
==> Validation of: ./policies/ElementalActivationsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSVPCTransitGatewayServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ViewOnlyAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: elasticloadbalancing:DescribeTargetHealth.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 113
}
],
"span": {
"end": {
"column": 3213,
"line": 1,
"offset": 3213
},
"start": {
"column": 3170,
"line": 1,
"offset": 3170
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 116
}
],
"span": {
"end": {
"column": 3346,
"line": 1,
"offset": 3346
},
"start": {
"column": 3303,
"line": 1,
"offset": 3303
}
}
}
]
}
]
==> Validation of: ./policies/AmazonDMSVPCManagementRole
==> Finding: []
==> Validation of: ./policies/AmazonEMRContainersServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSBackupOrganizationAdminAccess
==> Finding: []
==> Validation of: ./policies/MediaPackageServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ConfigConformsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSMarketplaceLicenseManagementServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonManagedBlockchainFullAccess
==> Finding: []
==> Validation of: ./policies/CloudWatchEventsBuiltInTargetExecutionAccess
==> Finding: []
==> Validation of: ./policies/AmazonMCSFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonSSMAutomationApproverAccess
==> Finding: []
==> Validation of: ./policies/AmazonRoute53AutoNamingFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticTranscoder_FullAccess
==> Finding: []
==> Validation of: ./policies/AWSQuickSightSageMakerPolicy
==> Finding: []
==> Validation of: ./policies/WorkLinkServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonMQReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSDeepRacerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksRegisterCLI_EC2
==> Finding: []
==> Validation of: ./policies/AWSDiscoveryContinuousExportFirehosePolicy
==> Finding: [
{
"findingDetails": "The 2 resource ARN(s) are redundant because they reference the same resource. Review the use of wildcards (*), or remove the resource arn:aws:s3:::aws-application-discovery-service-*/* to remove the redundancy.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 343,
"line": 1,
"offset": 343
},
"start": {
"column": 293,
"line": 1,
"offset": 293
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 1
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 397,
"line": 1,
"offset": 397
},
"start": {
"column": 345,
"line": 1,
"offset": 345
}
}
}
]
}
]
==> Validation of: ./policies/AmazonMWAAServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSElementalMediaStoreFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemClientReadWriteAccess
==> Finding: []
==> Validation of: ./policies/AmazonBraketFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeCommitPowerUser
==> Finding: []
==> Validation of: ./policies/AWSIoTEventsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSRoboMakerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AdministratorAccess-AWSElasticBeanstalk
==> Finding: []
==> Validation of: ./policies/CloudWatchEventsInvocationAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeStarNotificationsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonElasticContainerRegistryPublicFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonRedshiftServiceLinkedRolePolicy
==> Finding: []
==> Validation of: ./policies/CloudWatchAgentServerPolicy
==> Finding: []
==> Validation of: ./policies/AmazonTimestreamReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonSSMMaintenanceWindowRole
==> Finding: []
==> Validation of: ./policies/AmazonRekognitionCustomLabelsFullAccess
==> Finding: []
==> Validation of: ./policies/AWSLicenseManagerMasterAccountRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSAppSyncAdministrator
==> Finding: []
==> Validation of: ./policies/WellArchitectedConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/ServiceQuotasReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonMechanicalTurkFullAccess
==> Finding: []
==> Validation of: ./policies/AWSSSOMasterAccountAdministrator
==> Finding: []
==> Validation of: ./policies/AmazonSageMakerReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonRekognitionFullAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksInstanceRegistration
==> Finding: []
==> Validation of: ./policies/AmazonElasticFileSystemsUtils
==> Finding: []
==> Validation of: ./policies/AmazonDynamoDBFullAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceCatalogEndUserReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonGuardDutyReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2RoleforAWSCodeDeploy
==> Finding: []
==> Validation of: ./policies/AmazonRDSDirectoryServiceAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2RolePolicyForLaunchWizard
==> Finding: []
==> Validation of: ./policies/AWSOrganizationsReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonConnectFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerRegistryReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonCodeGuruProfilerFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonWorkMailEventsServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoscalingComprehendEndpointPolicy
==> Finding: []
==> Validation of: ./policies/AmazonEKSServicePolicy
==> Finding: []
==> Validation of: ./policies/AmazonChimeServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSResourceAccessManagerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonAugmentedAIIntegratedAPIAccess
==> Finding: []
==> Validation of: ./policies/AWSIoTConfigReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/ServerMigrationConnector
==> Finding: []
==> Validation of: ./policies/AmazonAthenaFullAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksRegisterCLI
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 5
}
],
"span": {
"end": {
"column": 545,
"line": 1,
"offset": 545
},
"start": {
"column": 531,
"line": 1,
"offset": 531
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 585,
"line": 1,
"offset": 585
},
"start": {
"column": 582,
"line": 1,
"offset": 582
}
}
}
]
}
]
==> Validation of: ./policies/AWSCodeBuildDeveloperAccess
==> Finding: []
==> Validation of: ./policies/AWSXrayReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AmazonEMRReadOnlyAccessPolicy_v2
==> Finding: []
==> Validation of: ./policies/ClientVPNServiceConnectionsRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleRDS
==> Finding: []
==> Validation of: ./policies/AWSXRayDaemonWriteAccess
==> Finding: []
==> Validation of: ./policies/AmazonAppFlowFullAccess
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForEC2ScheduledInstances
==> Finding: []
==> Validation of: ./policies/AWSDirectConnectServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSServiceCatalogAppRegistryReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSStorageGatewayFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMobileAnalyticsFullAccess
==> Finding: []
==> Validation of: ./policies/Billing
==> Finding: []
==> Validation of: ./policies/GlobalAcceleratorReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CloudFrontFullAccess
==> Finding: []
==> Validation of: ./policies/AWSAppMeshPreviewServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/ResourceGroupsandTagEditorFullAccess
==> Finding: []
==> Validation of: ./policies/AWSCloudMapDiscoverInstanceAccess
==> Finding: []
==> Validation of: ./policies/AmazonTimestreamConsoleFullAccess
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: dbqms:DescribeQueryHistory.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 727,
"line": 1,
"offset": 727
},
"start": {
"column": 699,
"line": 1,
"offset": 699
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 9
}
],
"span": {
"end": {
"column": 813,
"line": 1,
"offset": 813
},
"start": {
"column": 785,
"line": 1,
"offset": 785
}
}
}
]
}
]
==> Validation of: ./policies/AmazonWorkSpacesAdmin
==> Finding: []
==> Validation of: ./policies/AWSServiceRoleForSMS
==> Finding: []
==> Validation of: ./policies/AmazonSumerianFullAccess
==> Finding: []
==> Validation of: ./policies/AWSPanoramaSageMakerRolePolicy
==> Finding: []
==> Validation of: ./policies/ElementalActivationsGenerateLicenses
==> Finding: []
==> Validation of: ./policies/AWSLambdaFullAccess
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 21
}
],
"span": {
"end": {
"column": 631,
"line": 1,
"offset": 631
},
"start": {
"column": 617,
"line": 1,
"offset": 617
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 1283,
"line": 1,
"offset": 1283
},
"start": {
"column": 1280,
"line": 1,
"offset": 1280
}
}
}
]
}
]
==> Validation of: ./policies/AWSElasticBeanstalkMulticontainerDocker
==> Finding: []
==> Validation of: ./policies/ComputeOptimizerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/CloudSearchFullAccess
==> Finding: []
==> Validation of: ./policies/NetworkAdministrator
==> Finding: []
==> Validation of: ./policies/AmazonEC2ContainerServiceFullAccess
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 19
}
],
"span": {
"end": {
"column": 569,
"line": 1,
"offset": 569
},
"start": {
"column": 555,
"line": 1,
"offset": 555
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 587,
"line": 1,
"offset": 587
},
"start": {
"column": 584,
"line": 1,
"offset": 584
}
}
}
]
}
]
==> Validation of: ./policies/AmazonFSxConsoleReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/VMImportExportRoleForAWSConnector
==> Finding: []
==> Validation of: ./policies/AmazonRoute53ReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSMobileHub_ReadOnly
==> Finding: []
==> Validation of: ./policies/AWSIQFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonMacieFullAccess
==> Finding: []
==> Validation of: ./policies/AWSOpsWorksRole
==> Finding: [
{
"findingDetails": "Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement.",
"findingType": "SECURITY_WARNING",
"issueCode": "PASS_ROLE_WITH_STAR_IN_RESOURCE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 483,
"line": 1,
"offset": 483
},
"start": {
"column": 469,
"line": 1,
"offset": 469
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Resource"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 525,
"line": 1,
"offset": 525
},
"start": {
"column": 522,
"line": 1,
"offset": 522
}
}
}
]
}
]
==> Validation of: ./policies/AWSDeepLensServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSLambdaInvocation-DynamoDB
==> Finding: []
==> Validation of: ./policies/AccessAnalyzerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonEC2SpotFleetAutoscaleRole
==> Finding: []
==> Validation of: ./policies/AWSConfigRulesExecutionRole
==> Finding: []
==> Validation of: ./policies/AWSFMAdminReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSBackupAdminPolicy
==> Finding: [
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: rds:DescribeDBSnapshots.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 205,
"line": 1,
"offset": 205
},
"start": {
"column": 180,
"line": 1,
"offset": 180
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 2
},
{
"value": "Action"
},
{
"index": 3
}
],
"span": {
"end": {
"column": 286,
"line": 1,
"offset": 286
},
"start": {
"column": 261,
"line": 1,
"offset": 261
}
}
}
]
}
]
==> Validation of: ./policies/AWSAccountActivityAccess
==> Finding: []
==> Validation of: ./policies/AWSEC2FleetServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/CertificateManagerServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AWSApplicationAutoScalingCustomResourcePolicy
==> Finding: []
==> Validation of: ./policies/AWSDataLifecycleManagerServiceRoleForAMIManagement
==> Finding: []
==> Validation of: ./policies/AmazonLaunchWizardFullaccess
==> Finding: [
{
"findingDetails": "The action s3:ListBuckets does not exist. Did you mean s3:ListAllMyBuckets? The API called ListBuckets authorizes against the IAM action s3:ListAllMyBuckets",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 434,
"line": 1,
"offset": 434
},
"start": {
"column": 418,
"line": 1,
"offset": 418
}
}
}
]
},
{
"findingDetails": "The action s3:ListObjects does not exist. Did you mean s3:ListBucket? The API called ListObjects authorizes against the IAM action s3:ListBucket.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 452,
"line": 1,
"offset": 452
},
"start": {
"column": 436,
"line": 1,
"offset": 436
}
}
}
]
},
{
"findingDetails": "The action s3:ListObjectsV2 does not exist. Did you mean s3:ListBucket? The API called ListObjectsV2 authorizes against the IAM action s3:ListBucket.",
"findingType": "ERROR",
"issueCode": "INVALID_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 3
},
{
"value": "Action"
},
{
"index": 2
}
],
"span": {
"end": {
"column": 472,
"line": 1,
"offset": 472
},
"start": {
"column": 454,
"line": 1,
"offset": 454
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:CreateInternetGateway.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 6
}
],
"span": {
"end": {
"column": 828,
"line": 1,
"offset": 828
},
"start": {
"column": 801,
"line": 1,
"offset": 801
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 12
}
],
"span": {
"end": {
"column": 973,
"line": 1,
"offset": 973
},
"start": {
"column": 946,
"line": 1,
"offset": 946
}
}
}
]
},
{
"findingDetails": "The 2 action(s) are redundant because they provide similar permissions. Update the policy to remove the redundant action such as: ec2:CreateNatGateway.",
"findingType": "SUGGESTION",
"issueCode": "REDUNDANT_ACTION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-redundant-action",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 852,
"line": 1,
"offset": 852
},
"start": {
"column": 830,
"line": 1,
"offset": 830
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 5
},
{
"value": "Action"
},
{
"index": 14
}
],
"span": {
"end": {
"column": 1018,
"line": 1,
"offset": 1018
},
"start": {
"column": 996,
"line": 1,
"offset": 996
}
}
}
]
},
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 11
},
{
"value": "Resource"
},
{
"index": 7
}
],
"span": {
"end": {
"column": 4039,
"line": 1,
"offset": 4039
},
"start": {
"column": 3999,
"line": 1,
"offset": 3999
}
}
}
]
},
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 13
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 4498,
"line": 1,
"offset": 4498
},
"start": {
"column": 4458,
"line": 1,
"offset": 4458
}
}
}
]
},
{
"findingDetails": "Add a Region to the logs resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 16
},
{
"value": "Resource"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 6338,
"line": 1,
"offset": 6338
},
"start": {
"column": 6298,
"line": 1,
"offset": 6298
}
}
}
]
},
{
"findingDetails": "Add a Region to the cloudformation resource ARN.",
"findingType": "ERROR",
"issueCode": "MISSING_ARN_REGION",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-missing-arn-region",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 17
},
{
"value": "Resource"
}
],
"span": {
"end": {
"column": 6485,
"line": 1,
"offset": 6485
},
"start": {
"column": 6438,
"line": 1,
"offset": 6438
}
}
}
]
}
]
==> Validation of: ./policies/AmazonRoute53ResolverFullAccess
==> Finding: []
==> Validation of: ./policies/AWSElasticBeanstalkRoleWorkerTier
==> Finding: []
==> Validation of: ./policies/AWSPanoramaApplianceRolePolicy
==> Finding: []
==> Validation of: ./policies/AlexaForBusinessNetworkProfileServicePolicy
==> Finding: []
==> Validation of: ./policies/APIGatewayServiceRolePolicy
==> Finding: []
==> Validation of: ./policies/AmazonDevOpsGuruFullAccess
==> Finding: []
==> Validation of: ./policies/AWSRoboMakerReadOnlyAccess
==> Finding: []
==> Validation of: ./policies/AWSCodeDeployRoleForLambdaLimited
==> Finding: []
==> Validation of: ./policies/AWSTransferConsoleFullAccess
==> Finding: []
==> Validation of: ./policies/AmazonChimeReadOnly
==> Finding: []
==> Validation of: ./policies/AmazonLexChannelsAccess
==> Finding: []
==> Validation of: ./policies/AWSCertificateManagerPrivateCAAuditor
==> Finding: []
==> Validation of: ./policies/AmazonRDSDataFullAccess
==> Finding: []
==> Validation of: ./policies/ServerMigration_ServiceRole
==> Finding: []
======== stats =======
policies analyzed: 837
errors: 47
sec_warnings: 21
suggestions: 72
warnings: 7
======================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment