SES Policy With Allowed IAM Actions

  • Query id: 8ed0bfce-f780-46d4-b086-21c3628f09ad
  • Query name: SES Policy With Allowed IAM Actions
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

SES policy should not allow IAM actions to all principals
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: add sending authorization policy to email identityyy
  community.aws.aws_ses_identity_policy:
    identity: example@example.com
    policy_name: ExamplePolicy
    policy: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "*",
            "Principal": {
              "AWS": "*"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
          }
        ]
      }
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: add sending authorization policy to email identity2
  community.aws.aws_ses_identity_policy:
    identity: example@example.com
    policy_name: ExamplePolicy
    policy: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "*",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
          }
        ]
      }
    state: present