IAM Policies With Full Privileges
- Query id: 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84
- Query name: IAM Policies With Full Privileges
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
IAM policies shouldn't allow full administrative privileges (for all resources)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_role_policy" "positive1" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"*",
]
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_role_policy" "negative1" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"arn:aws:s3:::*",
]
}
}