IAM Role Policy passRole Allows All

  • Query id: e39bee8c-fe54-4a3f-824d-e5e2d1cca40a
  • Query name: IAM Role Policy passRole Allows All
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "iam:passrole"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "iam:passrole"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1"
      }
    ]
  }
  EOF
}