IoT Policy Allows Action as Wildcard
- Query id: 4d32780f-43a4-424a-a06d-943c543576a5
- Query name: IoT Policy Allows Action as Wildcard
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
IoT Policy should not allow Action to be set as *
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
IoTPolicy:
Type: AWS::IoT::Policy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource:
- arn:aws:iot:us-east-1:123456789012:client/client
- Effect: Deny
Action:
- sqs:*
NotResource: my-hardcoded-arn
PolicyName: PolicyName
Positive test num. 2 - json file
{
"Resources": {
"IoTPolicy": {
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client"
]
},
{
"Effect": "Deny",
"Action": [
"sqs:*"
],
"NotResource": "my-hardcoded-arn"
}
]
},
"PolicyName": "PolicyName"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
IoTPolicy:
Type: AWS::IoT::Policy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iot:Connect
Resource:
- arn:aws:iot:us-east-1:123456789012:client/client1
PolicyName: PolicyName
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"IoTPolicy": {
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-east-1:123456789012:client/client1"
]
}
]
},
"PolicyName": "PolicyName"
}
}
}
}