Support Has No Role Associated
- Query id: d71b5fd7-9020-4b2d-9ec8-b3839faa2744
- Query name: Support Has No Role Associated
- Platform: CloudFormation
- Severity: Low
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
noRoles:
Type: AWS::IAM::Policy
Properties:
PolicyName: AWSSupportAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["*"]
Resource: "*"
Users: ["SomeUser"]
Groups: ["SomeGroup"]
noUsers:
Type: AWS::IAM::Policy
Properties:
PolicyName: AWSSupportAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["*"]
Resource: "*"
Roles: ["SomeRole"]
Groups: ["SomeGroup"]
noGroups:
Type: AWS::IAM::Policy
Properties:
PolicyName: AWSSupportAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["*"]
Resource: "*"
Roles: ["SomeRole"]
Users: ["SomeUser"]
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"noRoles": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AWSSupportAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
},
"Users": [
"SomeUser"
],
"Groups": [
"SomeGroup"
]
}
},
"noUsers": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AWSSupportAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
},
"Roles": [
"SomeRole"
],
"Groups": [
"SomeGroup"
]
}
},
"noGroups": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AWSSupportAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
},
"Roles": [
"SomeRole"
],
"Users": [
"SomeUser"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"MyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myAWSBucket/*",
"Effect": "Allow"
}
]
},
"Groups": [
"myexistinggroup1",
"mygroup"
]
}
}
}
}