Spaces:
No application file
No application file
| **To request the validation of a policy and returns a list of findings** | |
| The following ``validate-policy`` example requests the validation of a policy and returns a list of findings. The policy in the example is a role trust policy for an Amazon Cognito role used for web identity federation. The findings generated from the trust policy relate to an empty ``Sid`` element value and a mismatched policy principal due to the incorrect assume role action being used, ``sts:AssumeRole``. The correct assume role action for use with Cognito is ``sts:AssumeRoleWithWebIdentity``. :: | |
| aws accessanalyzer validate-policy \ | |
| --policy-document file://myfile.json \ | |
| --policy-type RESOURCE_POLICY | |
| Contents of ``myfile.json``:: | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Federated": "cognito-identity.amazonaws.com" | |
| }, | |
| "Action": [ | |
| "sts:AssumeRole", | |
| "sts:TagSession" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "cognito-identity.amazonaws.com:aud": "us-west-2_EXAMPLE" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| Output:: | |
| { | |
| "findings": [ | |
| { | |
| "findingDetails": "Add a value to the empty string in the Sid element.", | |
| "findingType": "SUGGESTION", | |
| "issueCode": "EMPTY_SID_VALUE", | |
| "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value", | |
| "locations": [ | |
| { | |
| "path": [ | |
| { | |
| "value": "Statement" | |
| }, | |
| { | |
| "index": 0 | |
| }, | |
| { | |
| "value": "Sid" | |
| } | |
| ], | |
| "span": { | |
| "end": { | |
| "column": 21, | |
| "line": 5, | |
| "offset": 81 | |
| }, | |
| "start": { | |
| "column": 19, | |
| "line": 5, | |
| "offset": 79 | |
| } | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "findingDetails": "The sts:AssumeRole action is invalid with the following principal(s): cognito-identity.amazonaws.com. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options.", | |
| "findingType": "ERROR", | |
| "issueCode": "MISMATCHED_ACTION_FOR_PRINCIPAL", | |
| "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-mismatched-action-for-principal", | |
| "locations": [ | |
| { | |
| "path": [ | |
| { | |
| "value": "Statement" | |
| }, | |
| { | |
| "index": 0 | |
| }, | |
| { | |
| "value": "Action" | |
| }, | |
| { | |
| "index": 0 | |
| } | |
| ], | |
| "span": { | |
| "end": { | |
| "column": 32, | |
| "line": 11, | |
| "offset": 274 | |
| }, | |
| "start": { | |
| "column": 16, | |
| "line": 11, | |
| "offset": 258 | |
| } | |
| } | |
| }, | |
| { | |
| "path": [ | |
| { | |
| "value": "Statement" | |
| }, | |
| { | |
| "index": 0 | |
| }, | |
| { | |
| "value": "Principal" | |
| }, | |
| { | |
| "value": "Federated" | |
| } | |
| ], | |
| "span": { | |
| "end": { | |
| "column": 61, | |
| "line": 8, | |
| "offset": 202 | |
| }, | |
| "start": { | |
| "column": 29, | |
| "line": 8, | |
| "offset": 170 | |
| } | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "findingDetails": "The following actions: sts:TagSession are not supported by the condition key cognito-identity.amazonaws.com:aud. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key.", | |
| "findingType": "ERROR", | |
| "issueCode": "UNSUPPORTED_ACTION_FOR_CONDITION_KEY", | |
| "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-unsupported-action-for-condition-key", | |
| "locations": [ | |
| { | |
| "path": [ | |
| { | |
| "value": "Statement" | |
| }, | |
| { | |
| "index": 0 | |
| }, | |
| { | |
| "value": "Action" | |
| }, | |
| { | |
| "index": 1 | |
| } | |
| ], | |
| "span": { | |
| "end": { | |
| "column": 32, | |
| "line": 12, | |
| "offset": 308 | |
| }, | |
| "start": { | |
| "column": 16, | |
| "line": 12, | |
| "offset": 292 | |
| } | |
| } | |
| }, | |
| { | |
| "path": [ | |
| { | |
| "value": "Statement" | |
| }, | |
| { | |
| "index": 0 | |
| }, | |
| { | |
| "value": "Condition" | |
| }, | |
| { | |
| "value": "StringEquals" | |
| }, | |
| { | |
| "value": "cognito-identity.amazonaws.com:aud" | |
| } | |
| ], | |
| "span": { | |
| "end": { | |
| "column": 79, | |
| "line": 16, | |
| "offset": 464 | |
| }, | |
| "start": { | |
| "column": 58, | |
| "line": 16, | |
| "offset": 443 | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| For more information, see `Checks for validating policies <https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html>`__ in the *AWS IAM User Guide*. | |