IAM Policy Grants Full Permissions

  • Query id: f62aa827-4ade-4dc4-89e4-1433d384a368
  • Query name: IAM Policy Grants Full Permissions
  • Platform: CloudFormation
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  mypolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["*"]
          Resource: "*"
      Groups:
      - myexistinggroup1
      - !Ref mygroup
  mypolicy2:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: "*"
          Resource: "*"
      Groups:
      - myexistinggroup1
      - !Ref mygroup
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "mypolicy2": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "*",
              "Resource": "*"
            }
          ],
          "Version": "2012-10-17"
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    },
    "mypolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "*"
              ],
              "Resource": "*"
            }
          ]
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  adminPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: ["*"]
          Resource: arn:aws:iam::aws:policy/AdministratorAccess
      Groups:
      - myexistinggroup1
      - !Ref mygroup
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "adminPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "mygrouppolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Resource": "arn:aws:iam::aws:policy/AdministratorAccess",
              "Effect": "Allow",
              "Action": [
                "*"
              ]
            }
          ]
        },
        "Groups": [
          "myexistinggroup1",
          "mygroup"
        ]
      }
    }
  }
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  adminPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: mygrouppolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action: 'ec2messages:GetEndpoint'
          Resource: ['*']
      Groups:
      - myexistinggroup1
      - !Ref mygroup