in access-analyzer/iam-role-findings-resolution/functions/access_analyzer_event_bridge_target.py [0:0]
def disable_iam_access(resource_name, ext_arn, finding_id):
try:
ext_arn = ext_arn.strip()
policy = {
"Sid": finding_id,
"Effect": "Deny",
"Principal": {
"AWS": ext_arn},
"Action": "sts:AssumeRole"
}
response = iam.get_role(RoleName=resource_name)
current_policy = response['Role']['AssumeRolePolicyDocument']
current_policy = current_policy['Statement'].append(policy)
new_policy = json.dumps(response['Role']['AssumeRolePolicyDocument'])
logger.debug(new_policy)
response = iam.update_assume_role_policy(
PolicyDocument=new_policy,
RoleName=resource_name)
logger.info(response)
except Exception as e:
logger.error(e)
logger.error('Unable to update IAM Policy')