Serverless Role With Full Privileges
- Query id: 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd
- Query name: Serverless Role With Full Privileges
- Platform: ServerlessFW
- Severity: High
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
Roles defined in Serverless files should not have policies granting full administrative privileges.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yml file
service: service
frameworkVersion: '2'
provider:
name: aws
runtime: nodejs12.x
iam:
role:
name: custom-role-name
path: /custom-role-path/
statements:
- Effect: 'Allow'
Resource: '*'
Action: '*'
managedPolicies:
- 'arn:aws:iam::123456789012:user/*'
permissionsBoundary: arn:aws:iam::123456789012:policy/boundaries
tags:
key: value
functions:
hello:
handler: handler.hello
onError: arn:aws:sns:us-east-1:XXXXXX:test
tags:
foo: bar
role: arn:aws:iam::XXXXXX:role/role
tracing: Active
Code samples without security vulnerabilities¶
Negative test num. 1 - yml file
service: service
frameworkVersion: '2'
provider:
name: aws
runtime: nodejs12.x
iam:
role:
name: custom-role-name
path: /custom-role-path/
statements:
- Effect: 'Allow'
Resource: '*'
Action: 'iam:DeleteUser'
managedPolicies:
- 'arn:aws:iam::123456789012:user/*'
permissionsBoundary: arn:aws:iam::123456789012:policy/boundaries
tags:
key: value
functions:
hello:
handler: handler.hello
onError: arn:aws:sns:us-east-1:XXXXXX:test
tags:
foo: bar
role: arn:aws:iam::XXXXXX:role/role
tracing: Active