IAM Role Policy passRole Allows All
- Query id: e39bee8c-fe54-4a3f-824d-e5e2d1cca40a
- Query name: IAM Role Policy passRole Allows All
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:passrole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:passrole"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1"
}
]
}
EOF
}