IAM Role Allows All Principals To Assume
- Query id: babdedcf-d859-43da-9a7b-6d72e661a8fd
- Query name: IAM Role Allows All Principals To Assume
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
IAM role allows all services or principals to assume it
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create IAM Managed Policy
community.aws.iam_managed_policy:
policy_name: "ManagedPolicy"
policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "logs:CreateLogGroup"
Resource: "*"
Principal:
AWS: "arn:aws:iam::root"
make_default: false
state: present
- name: Create2 IAM Managed Policy
community.aws.iam_managed_policy:
policy_name: "ManagedPolicy2"
policy: >
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Allow",
"Action": "logs:PutRetentionPolicy",
"Resource": "*",
"Principal" : { "AWS" : "arn:aws:iam::root" }
}]
}
only_version: true
state: present