Sentinel Policy extract

swetharamk · December 28, 2022, 3:39pm

Hi ,
I am working on a Sentinel policy to check tags on a role, which has a Sts condition like sts:ExternalId. Iam getting all my aws _iam roles and iterating through them and mostly check for the assume role policy by iterating and checking change.after. But in few workspaces I see the assume role policy rr.change.before so my condition is resulting undefined. I tried to put a condition for undefined and let it pass but still having issues can you please help.
Code:
GetRoleTags = aws.find_resources_with_standard_tags(“aws_iam_role”) // get tags for all the aws Iam roles
for GetRoleTags as r, rr {
get_role_policy_after = rr.change.after.assume_role_policy // get the assume role policy for that
get_role_policy_before = rr.change.before.assume_role_policy
print(get_role_policy_after,get_role_policy_before)
if(get_role_policy_after contains “sts:ExternalId” or get_role_policy_before contains “sts:ExternalId” ) {

ashutoshrathore · December 28, 2022, 4:00pm

@swetharamk can you please share details what other issues you are facing? Or if you can share policy via https://play.sentinelproject.io/