IAM Policy Grants Full Permissions
- Query id: 575a2155-6af1-4026-b1af-d5bc8fe2a904
- Query name: IAM Policy Grants Full Permissions
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_user" "positive1" {
name = "${local.resource_prefix.value}-user"
force_destroy = true
tags = {
Name = "${local.resource_prefix.value}-user"
Environment = local.resource_prefix.value
}
}
resource "aws_iam_access_key" "positive2" {
user = aws_iam_user.user.name
}
resource "aws_iam_user_policy" "positive3" {
name = "excess_policy"
user = aws_iam_user.user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "username" {
value = aws_iam_user.user.name
}
output "secret" {
value = aws_iam_access_key.user.encrypted_secret
}
Positive test num. 2 - tf file
resource "aws_iam_policy" "s3-permission" {
name = "s3-permission"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_user" "negative1" {
name = "${local.resource_prefix.value}-user"
force_destroy = true
tags = {
Name = "${local.resource_prefix.value}-user"
Environment = local.resource_prefix.value
}
}
resource "aws_iam_access_key" "negative2" {
user = aws_iam_user.user.name
}
resource "aws_iam_user_policy" "negative3" {
name = "excess_policy"
user = aws_iam_user.user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"s3:*",
"lambda:*",
"cloudwatch:*"
],
"Effect": "Allow",
"Resource": "SomeResource"
}
]
}
EOF
}
output "username" {
value = aws_iam_user.user.name
}
output "secret" {
value = aws_iam_access_key.user.encrypted_secret
}