IAM Policy Grants 'AssumeRole' Permission Across All Services

  • Query id: 12a7a7ce-39d6-49dd-923d-aeb4564eb66c
  • Query name: IAM Policy Grants 'AssumeRole' Permission Across All Services
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

IAM Policy should not grant 'AssumeRole' permission across all services.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          Service: "ec2.amazonaws.com"
          AWS: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present