IAM Access Key Is Exposed
- Query id: 7f79f858-fbe8-4186-8a2c-dfd0d958a40f
- Query name: IAM Access Key Is Exposed
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Check if IAM Access Key is active for some user besides 'root'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create two new IAM users with API keys
community.aws.iam:
iam_type: user
name: "{{ item }}"
state: present
password: "{{ temp_pass }}"
access_key_state: active
loop:
- jcleese
- mpython
- name: Create two new IAM users with API keys
community.aws.iam:
iam_type: user
name: "{{ item }}"
state: present
password: "{{ temp_pass }}"
access_key_state: active
loop:
- root
- mpython
- name: Create Two Groups, Mario and Luigi
community.aws.iam:
iam_type: group
name: "{{ item }}"
state: present
access_key_state: active
loop:
- Mario
- Luigi
register: new_groups
- name: Update user
community.aws.iam:
iam_type: user
name: jdavila
state: update
access_key_state: active
groups: "{{ item.created_group.group_name }}"
loop: "{{ new_groups.results }}"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
# Basic user creation example
- name: Create two new IAM users with API keys
community.aws.iam:
iam_type: user
name: '{{ item }}'
state: present
password: '{{ temp_pass }}'
access_key_state: create
loop:
- jcleese
- mpython
# Basic user creation example
- name: Create two new IAM users with API keys
community.aws.iam:
iam_type: user
name: root
state: present
password: '{{ temp_pass }}'
access_key_state: active
- name: Create Two Groups, Mario and Luigi
community.aws.iam:
iam_type: group
name: '{{ item }}'
state: present
loop:
- Mario
- Luigi
register: new_groups
- name: Update user
community.aws.iam:
iam_type: user
name: jdavila
state: update
access_key_state: inactive
groups: '{{ item.created_group.group_name }}'
loop: '{{ new_groups.results }}'