SSO Policy with full privileges
- Query id: 132a8c31-9837-4203-9fd1-15ca210c7b73
- Query name: SSO Policy with full privileges
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ssoadmin_permission_set_inline_policy" "pos1" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
inline_policy = <<POLICY
{
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
},
{
"Action": "s3:PutObject*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::b1/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ssoadmin_permission_set_inline_policy" "neg1" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
inline_policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:ListBucket*",
"s3:HeadBucket",
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"arn:aws:s3:::b2",
"arn:aws:s3:::b2/*"
],
"Sid": ""
},
{
"Action": "s3:PutObject*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::b1/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}