CloudWatch Logs Destination With Vulnerable Policy

  • Query id: db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8
  • Query name: CloudWatch Logs Destination With Vulnerable Policy
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
data "aws_iam_policy_document" "test_destination_policy" {
  statement {
    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        data.aws_caller_identity.current.id,
      ]
    }

    actions = [
      "logs:*",
    ]

  }
}

resource "aws_cloudwatch_log_destination_policy" "test_destination_policy" {
  destination_name = aws_cloudwatch_log_destination.test_destination.name
  access_policy    = data.aws_iam_policy_document.test_destination_policy.json
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
data "aws_iam_policy_document" "test_destination_policy2" {
  statement {
    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        "123456789012",
      ]
    }

    actions = [
      "logs:PutSubscriptionFilter",
    ]

    resources = [
      aws_cloudwatch_log_destination.test_destination.arn,
    ]
  }
}

resource "aws_cloudwatch_log_destination_policy" "test_destination_policy2" {
  destination_name = aws_cloudwatch_log_destination.test_destination.name
  access_policy    = data.aws_iam_policy_document.test_destination_policy2.json
}