IAM Policy Grants Full Permissions

  • Query id: b5ed026d-a772-4f07-97f9-664ba0b116f8
  • Query name: IAM Policy Grants Full Permissions
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "*"
        Resource: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: SomeResource
    make_default: false
    state: present
Negative test num. 2 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: '*'
        Resource: ec2messages:GetEndpoint
    make_default: false
    state: present