IAM Role Allows All Principals To Assume

Query id: babdedcf-d859-43da-9a7b-6d72e661a8fd
Query name: IAM Role Allows All Principals To Assume
Platform: Ansible
Severity: Medium
Category: Access Control
CWE: 284
URL: Github

Description¶

IAM role allows all services or principals to assume it
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          AWS: "arn:aws:iam::root"
    make_default: false
    state: present
- name: Create2 IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: "ManagedPolicy2"
    policy: >
      {
        "Version": "2012-10-17",
        "Statement":[{
          "Effect": "Allow",
          "Action": "logs:PutRetentionPolicy",
          "Resource": "*",
          "Principal" : { "AWS" : "arn:aws:iam::root" }
        }]
      }
    only_version: true
    state: present

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

- name: Create IAM Managed Policy
  community.aws.iam_managed_policy:
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present