IAM Policies With Full Privileges

  • Query id: e401d614-8026-4f4b-9af9-75d1197461ba
  • Query name: IAM Policies With Full Privileges
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

IAM policies shouldn't allow full administrative privileges (for all resources)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: ["*"]
        Resource: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present