Secrets Manager With Vulnerable Policy
- Query id: fa00ce45-386d-4718-8392-fb485e1f3c5b
- Query name: Secrets Manager With Vulnerable Policy
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 155
- URL: Github
Description¶
Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_secretsmanager_secret" "not_secure_policy" {
name = "not_secure_secret"
}
resource "aws_secretsmanager_secret_policy" "example" {
secret_arn = aws_secretsmanager_secret.not_secure_policy.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAllPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "secretsmanager:*",
"Resource": "*"
}
]
}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_secretsmanager_secret" "example2" {
name = "example"
}
resource "aws_secretsmanager_secret_policy" "example2" {
secret_arn = aws_secretsmanager_secret.example2.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAllPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::var.account_id:saml-provider/var.provider_name"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
POLICY
}