Ram Policy Admin Access Not Attached to Users Groups Roles
- Query id: e8e62026-da63-4904-b402-65adfe3ca975
- Query name: Ram Policy Admin Access Not Attached to Users Groups Roles
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Ram policies with admin access should not be associated to users, groups or roles
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# Create a RAM User Policy attachment.
resource "alicloud_ram_user" "user4" {
name = "userName"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_policy" "policy4" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_user_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy4.name
policy_type = alicloud_ram_policy.policy4.type
user_name = alicloud_ram_user.user4.name
}
Positive test num. 2 - tf file
# Create a RAM Group Policy attachment.
resource "alicloud_ram_group" "group5" {
name = "groupName"
comments = "this is a group comments."
force = true
}
resource "alicloud_ram_policy" "policy5" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_group_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy5.name
policy_type = alicloud_ram_policy.policy5.type
group_name = alicloud_ram_group.group5.name
}
Positive test num. 3 - tf file
# Create a RAM Role Policy attachment.
resource "alicloud_ram_role" "role6" {
name = "roleName"
document = <<EOF
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
description = "this is a role test."
force = true
}
resource "alicloud_ram_policy" "policy6" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_role_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy6.name
policy_type = alicloud_ram_policy.policy6.type
role_name = alicloud_ram_role.role6.name
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# Create a RAM User Policy attachment.
resource "alicloud_ram_user" "user1" {
name = "userName"
display_name = "user_display_name"
mobile = "86-18688888888"
email = "hello.uuu@aaa.com"
comments = "yoyoyo"
force = true
}
resource "alicloud_ram_policy" "policy1" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_user_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy1.name
policy_type = alicloud_ram_policy.policy1.type
user_name = alicloud_ram_user.user1.name
}
Negative test num. 2 - tf file
# Create a RAM Group Policy attachment.
resource "alicloud_ram_group" "group2" {
name = "groupName"
comments = "this is a group comments."
force = true
}
resource "alicloud_ram_policy" "policy2" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_group_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy2.name
policy_type = alicloud_ram_policy.policy2.type
group_name = alicloud_ram_group.group2.name
}
Negative test num. 3 - tf file
# Create a RAM Role Policy attachment.
resource "alicloud_ram_role" "role3" {
name = "roleName"
document = <<EOF
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
description = "this is a role test."
force = true
}
resource "alicloud_ram_policy" "policy3" {
name = "policyName"
document = <<EOF
{
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
force = true
}
resource "alicloud_ram_role_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy3.name
policy_type = alicloud_ram_policy.policy3.type
role_name = alicloud_ram_role.role3.name
}