My code looks like this:
Defining the IAM Roles
let aws_iam_entities_no_managed_policy = Resources.*[
Type in [ /AWS::IAM::User/,
/AWS::IAM::Role/,
/AWS::IAM::Group/ ]
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "IAM_ONLY_ALLOW_NONAWSManagedPolicies"
]
Setting up the rule and making sure the role has managed policies
rule IAM_ONLY_ALLOW_NONAWSManagedPolicies when %aws_iam_entities_no_managed_policy !empty {
when %aws_iam_entities_no_managed_policy.Properties.ManagedPolicyArns !empty {
Defining the rule I want to compare the managed policies to (It cannot be a !Sub function with an arn that begins with AWS as these are aws-managed policies)
%aws_iam_entities_no_managed_policy.Properties.ManagedPolicyArns[*]."Fn::Sub" !in [/^arn:aws:iam::\${AWS::AccountId}:policy\/AWS/,"arn:aws:iam::${AWS::AccountId}:policy/VMImportExportRoleForAWSConnector"]
The Violation message
<<
Violation: Only select managed policies are allowed on IAM Users, Roles, or Groups.
Fix: Remove the disallowed policies from any IAM Users, Roles, or Groups.
>>
}
}
What I am looking for
The above code is flagging lines that start with !Ref instead of just skipping them. I do not care if they are referencing something else in their code, as I only want to check the lines where they have !Sub in their Managed Policies. How can I change this code to ignore, or allow, anything starting with the Ref function and continue to flag any Subs for Managed Policies that begin with AWS?
I tried different formats and whitelisting the Ref function with both the AND and OR function.
%aws_iam_entities_no_managed_policy.Properties.ManagedPolicyArns[*]."Fn::Ref" !empty
However, this resulted in !Sub getting flagged because it was searching for Ref and !Ref getting flagged because it was searching for !Sub. I cannot figure out how to just ignore one of them.