IAM Policy Grants Full Permissions
- Query id: f62aa827-4ade-4dc4-89e4-1433d384a368
- Query name: IAM Policy Grants Full Permissions
- Platform: CloudFormation
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["*"]
Resource: "*"
Groups:
- myexistinggroup1
- !Ref mygroup
mypolicy2:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Groups:
- myexistinggroup1
- !Ref mygroup
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"mypolicy2": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Groups": [
"myexistinggroup1",
"mygroup"
]
}
},
"mypolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
},
"Groups": [
"myexistinggroup1",
"mygroup"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
adminPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: ["*"]
Resource: arn:aws:iam::aws:policy/AdministratorAccess
Groups:
- myexistinggroup1
- !Ref mygroup
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"adminPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "mygrouppolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Resource": "arn:aws:iam::aws:policy/AdministratorAccess",
"Effect": "Allow",
"Action": [
"*"
]
}
]
},
"Groups": [
"myexistinggroup1",
"mygroup"
]
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
adminPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'ec2messages:GetEndpoint'
Resource: ['*']
Groups:
- myexistinggroup1
- !Ref mygroup