IAM Role Allows All Principals To Assume

  • Query id: babdedcf-d859-43da-9a7b-6d72e661a8fd
  • Query name: IAM Role Allows All Principals To Assume
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

IAM role allows all services or principals to assume it
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          AWS: "arn:aws:iam::root"
    make_default: false
    state: present
- name: Create2 IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy2"
    policy: >
      {
        "Version": "2012-10-17",
        "Statement":[{
          "Effect": "Allow",
          "Action": "logs:PutRetentionPolicy",
          "Resource": "*",
          "Principal" : { "AWS" : "arn:aws:iam::root" }
        }]
      }
    only_version: true
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present