SES Policy With Allowed IAM Actions
- Query id: 8ed0bfce-f780-46d4-b086-21c3628f09ad
- Query name: SES Policy With Allowed IAM Actions
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
SES policy should not allow IAM actions to all principals
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: add sending authorization policy to email identityyy
community.aws.aws_ses_identity_policy:
identity: example@example.com
policy_name: ExamplePolicy
policy: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Principal": {
"AWS": "*"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: add sending authorization policy to email identity2
community.aws.aws_ses_identity_policy:
identity: example@example.com
policy_name: ExamplePolicy
policy: >
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
state: present