Support Has No Role Associated

Query id: d71b5fd7-9020-4b2d-9ec8-b3839faa2744
Query name: Support Has No Role Associated
Platform: CloudFormation
Severity: Low
Category: Access Control
CWE: 284
URL: Github

Description¶

Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< De Re

Positive test num. 2 - json file

/span>

AWSTemplateFormatVersion: "2010-09-09" scription: A sample template sources: class="w">  noRoles: Type: AWS::IAM::Policy Properties: PolicyName: AWSSupportAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: ["*"] Resource: "*" Users: ["SomeUser"] Groups: ["SomeGroup"] class="w">  noUsers: Type: AWS::IAM::Policy Properties: PolicyName: AWSSupportAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: ["*"] Resource: "*" Roles: ["SomeRole"] Groups: ["SomeGroup"] class="w">  noGroups: Type: AWS::IAM::Policy Properties: PolicyName: AWSSupportAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: ["*"] Resource: "*" Roles: ["SomeRole"] Users: ["SomeUser"] /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { class="w">    "noRoles": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "AWSSupportAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": "*" } ] }, "Users": [ "SomeUser" ], "Groups": [ "SomeGroup" ] } }, class="w">    "noUsers": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "AWSSupportAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": "*" } ] }, "Roles": [ "SomeRole" ], "Groups": [ "SomeGroup" ] } }, class="w">    "noGroups": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "AWSSupportAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": "*" } ] }, "Roles": [ "SomeRole" ], "Users": [ "SomeUser" ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  MyPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectAcl
            Resource: arn:aws:s3:::myAWSBucket/*
      Groups:
        - myexistinggroup1
        - !Ref mygroup

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "MyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
              ],
              "Resource": "arn:aws:s3:::myAWSBucket/*",
              "Effect": "Allow"
            }
          ]
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    }
  }
}