EFS With Vulnerable Policy
- Query id: fae52418-bb8b-4ac2-b287-0b9082d6a3fd
- Query name: EFS With Vulnerable Policy
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_efs_file_system" "not_secure" {
creation_token = "efs-not-secure"
tags = {
Name = "NotSecure"
}
}
resource "aws_efs_file_system_policy" "not_secure_policy" {
file_system_id = aws_efs_file_system.not_secure.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:*"
]
}
]
}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_efs_file_system" "fs" {
creation_token = "my-product"
}
resource "aws_efs_file_system_policy" "policy" {
file_system_id = aws_efs_file_system.fs.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/Carlos"
}
"Resource": "aws_efs_file_system.test.arn",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
POLICY
}