IAM Policy Grants 'AssumeRole' Permission Across All Services
- Query id: e835bd0d-65da-49f7-b6d1-b646da8727e6
- Query name: IAM Policy Grants 'AssumeRole' Permission Across All Services
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
IAM Policy should not grant 'AssumeRole' permission across all services.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["sts:AssumeRole"]
Resource: "*"
Users: ["SomeUser"]
Positive test num. 2 - json file
{
"Description": "A sample template",
"Resources": {
"mypolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "*"
}
]
},
"Users": [
"SomeUser"
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"MyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myAWSBucket/*"
}
]
},
"Groups": [
"myexistinggroup1",
"mygroup"
]
}
}
}
}