SES Policy With Allowed IAM Actions
- Query id: 34b921bd-90a0-402e-a0a5-dc73371fd963
- Query name: SES Policy With Allowed IAM Actions
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
SES policy should not allow IAM actions to all principals
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ses_identity_policy" "positive1" {
identity = aws_ses_domain_identity.example.arn
name = "example"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Principal": {
"AWS": "*"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ses_identity_policy" "negative1" {
identity = aws_ses_domain_identity.example.arn
name = "example"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Principal": {
"AWS": "arn:aws:iam::987654321145:root"
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
EOF
}