CloudWatch Logs Destination With Vulnerable Policy
- Query id: db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8
- Query name: CloudWatch Logs Destination With Vulnerable Policy
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "aws_iam_policy_document" "test_destination_policy" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = [
data.aws_caller_identity.current.id,
]
}
actions = [
"logs:*",
]
}
}
resource "aws_cloudwatch_log_destination_policy" "test_destination_policy" {
destination_name = aws_cloudwatch_log_destination.test_destination.name
access_policy = data.aws_iam_policy_document.test_destination_policy.json
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "aws_iam_policy_document" "test_destination_policy2" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"123456789012",
]
}
actions = [
"logs:PutSubscriptionFilter",
]
resources = [
aws_cloudwatch_log_destination.test_destination.arn,
]
}
}
resource "aws_cloudwatch_log_destination_policy" "test_destination_policy2" {
destination_name = aws_cloudwatch_log_destination.test_destination.name
access_policy = data.aws_iam_policy_document.test_destination_policy2.json
}