Report EMR instances with inappropriate IAM role(s)

[hjacobs]

Elastic Map Reduce (EMR) instances (using Amazon’s EMR AMIs) MAY be started, but MUST NOT get any access to the central IAM infrastructure through robot users.

All IAM roles of all EMR instances (running Amazon AMIs) must be checked to not allow privilege escalation, i.e. they should not allow downloading security credentials (generated by Mint) from S3.
A reasonable approach would be to only allow white-listed usage of non-Mint S3 buckets (most EMR use cases just need S3 access).

Mint: http://stups.readthedocs.org/en/latest/components/mint.html

[mrandi]

@hjacobs if I get it.

• Parse policy
• get all s3 rules
• get from kio all configured mint bucket (because bucket are global, so I can't filter it)
• check if is the case

Right?