Support Has No Role Associated

  • Query id: d71b5fd7-9020-4b2d-9ec8-b3839faa2744
  • Query name: Support Has No Role Associated
  • Platform: CloudFormation
  • Severity: Low
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  noRoles:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AWSSupportAccess
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["*"]
          Resource: "*"
      Users: ["SomeUser"]
      Groups: ["SomeGroup"]
  noUsers:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AWSSupportAccess
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["*"]
          Resource: "*"
      Roles: ["SomeRole"]
      Groups: ["SomeGroup"]
  noGroups:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AWSSupportAccess
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["*"]
          Resource: "*"
      Roles: ["SomeRole"]
      Users: ["SomeUser"]
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "noRoles": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "AWSSupportAccess",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "*"
              ],
              "Resource": "*"
            }
          ]
        },
        "Users": [
          "SomeUser"
        ],
        "Groups": [
          "SomeGroup"
        ]
      }
    },
    "noUsers": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "AWSSupportAccess",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "*"
              ],
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          "SomeRole"
        ],
        "Groups": [
          "SomeGroup"
        ]
      }
    },
    "noGroups": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "AWSSupportAccess",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "*"
              ],
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          "SomeRole"
        ],
        "Users": [
          "SomeUser"
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  MyPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectAcl
            Resource: arn:aws:s3:::myAWSBucket/*
      Groups:
        - myexistinggroup1
        - !Ref mygroup
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "MyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
              ],
              "Resource": "arn:aws:s3:::myAWSBucket/*",
              "Effect": "Allow"
            }
          ]
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    }
  }
}