Serverless Role With Full Privileges

  • Query id: 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd
  • Query name: Serverless Role With Full Privileges
  • Platform: ServerlessFW
  • Severity: High
  • Category: Access Control
  • CWE: 732
  • URL: Github

Description

Roles defined in Serverless files should not have policies granting full administrative privileges.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x
  iam:
    role:
      name: custom-role-name
      path: /custom-role-path/
      statements:
        - Effect: 'Allow'
          Resource: '*'
          Action: '*'
      managedPolicies:
        - 'arn:aws:iam::123456789012:user/*'
      permissionsBoundary: arn:aws:iam::123456789012:policy/boundaries
      tags:
        key: value

functions:
  hello:
    handler: handler.hello
    onError: arn:aws:sns:us-east-1:XXXXXX:test
    tags:
      foo: bar
    role: arn:aws:iam::XXXXXX:role/role
    tracing: Active

Code samples without security vulnerabilities

Negative test num. 1 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x
  iam:
    role:
      name: custom-role-name
      path: /custom-role-path/
      statements:
        - Effect: 'Allow'
          Resource: '*'
          Action: 'iam:DeleteUser'
      managedPolicies:
        - 'arn:aws:iam::123456789012:user/*'
      permissionsBoundary: arn:aws:iam::123456789012:policy/boundaries
      tags:
        key: value

functions:
  hello:
    handler: handler.hello
    onError: arn:aws:sns:us-east-1:XXXXXX:test
    tags:
      foo: bar
    role: arn:aws:iam::XXXXXX:role/role
    tracing: Active