Glue With Vulnerable Policy
- Query id: d25edb51-07fb-4a73-97d4-41cecdc53a22
- Query name: Glue With Vulnerable Policy
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 155
- URL: Github
Description¶
Glue policy should avoid wildcard in 'principals' and 'actions'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "aws_iam_policy_document" "glue-example-policy" {
statement {
actions = [
"glue:*",
]
resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"]
principals {
identifiers = ["*"]
type = "AWS"
}
}
}
resource "aws_glue_resource_policy" "example" {
policy = data.aws_iam_policy_document.glue-example-policy.json
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "aws_iam_policy_document" "glue-example-policy2" {
statement {
actions = [
"glue:CreateTable",
]
resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"]
principals {
identifiers = ["arn:aws:iam::var.account_id:saml-provider/var.provider_name"]
type = "AWS"
}
}
}
resource "aws_glue_resource_policy" "example2" {
policy = data.aws_iam_policy_document.glue-example-policy2.json
}