Creating an Exclusions File
As mentioned previously, Cloudsplaining tool does not attempt to understand the context behind everything in your AWS account. It's possible to understand the context behind some of these things programmatically - whether the policy is applied to an instance profile, whether the policy is attached, whether inline IAM policies are in use, and whether or not AWS Managed Policies are in use. Only you know the context behind the design of your AWS infrastructure and the IAM strategy.
As such, it's important to eliminate False Positives that are context-dependent. You can do this with an exclusions file. We've included a command that will generate an exclusions file for you so you don't have to remember the required format.
You can create an exclusions template via the following command:
This will generate a file in your current directory titled
Now when you run the
scan command, you can use the exclusions file like this:
cloudsplaining scan --exclusions-file exclusions.yml --input-file examples/files/example.json --output examples/files/