Glue With Vulnerable Policy

  • Query id: d25edb51-07fb-4a73-97d4-41cecdc53a22
  • Query name: Glue With Vulnerable Policy
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Glue policy should avoid wildcard in 'principals' and 'actions'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
data "aws_iam_policy_document" "glue-example-policy" {
  statement {
    actions = [
      "glue:*",
    ]
    resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"]
    principals {
      identifiers = ["*"]
      type        = "AWS"
    }
  }
}

resource "aws_glue_resource_policy" "example" {
  policy = data.aws_iam_policy_document.glue-example-policy.json
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
data "aws_iam_policy_document" "glue-example-policy2" {
  statement {
    actions = [
      "glue:CreateTable",
    ]
    resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"]
    principals {
      identifiers = ["arn:aws:iam::var.account_id:saml-provider/var.provider_name"]
      type        = "AWS"
    }
  }
}

resource "aws_glue_resource_policy" "example2" {
  policy = data.aws_iam_policy_document.glue-example-policy2.json
}