Inline Policies Are Attached To ECS Service
- Query id: 9e8c89b3-7997-4d15-93e4-7911b9db99fd
- Query name: Inline Policies Are Attached To ECS Service
- Platform: CloudFormation
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
InlinePolicy:
Type: AWS::ECS::Service
DependsOn:
- Listener
Properties:
Role:
Ref: IAMPolicy
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster
IAMPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Positive test num. 2 - json file
{
"Resources": {
"InlinePolicy": {
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
],
"Properties": {
"Role": {
"Ref": "IAMPolicy"
},
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
}
}
},
"IAMPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
InlinePolicy:
Type: AWS::ECS::Service
DependsOn:
- Listener
Properties:
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster
IAMPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Negative test num. 2 - json file
{
"Resources": {
"IAMPolicy": {
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
},
"Type": "AWS::IAM::Policy"
},
"InlinePolicy": {
"DependsOn": [
"Listener"
],
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
}
},
"Type": "AWS::ECS::Service"
}
}
}