IAM policy allows for data exfiltration
- Query id: 022f8938-4b17-420c-aca3-f917f290f322
- Query name: IAM policy allows for data exfiltration
- Platform: CloudFormation
- Severity: Medium
- Category: Resource Management
- CWE: 200
- Risk score: 3.0
- URL: Github
Description¶
This policy contains actions that can retrieve information unrestricted and could lead to data exfiltration
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
CFNUser:
Type: AWS::IAM::User
Properties:
LoginProfile:
Password: 'Password'
PasswordResetRequired: false
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- '*'
Resource: '*'
Positive test num. 2 - json file
{
"Resources": {
"CreateTestDBPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"ssm:GetParameter",
"s3:*"
],
"Resource": "*"
}
]
},
"Users": ["TestUser"],
"Description": "Policy for creating a test database"
}
}
}
}
Positive test num. 3 - json file
{
"Resources": {
"CreateTestDBPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
},
"Users": ["TestUser"],
"Description": "Policy for creating a test database"
}
}
}
}
Positive test num. 4 - json file
Positive test num. 5 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootGroup:
Type: 'AWS::IAM::Group'
Properties:
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'ssm:GetParameter'
Resource: '*'
- PolicyName: fullctrl
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:passrole'
Resource: '*'
Positive test num. 6 - yaml file
Positive test num. 7 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'ssm:GetParametersByPath'
Resource: '*'
- PolicyName: fullctrl
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:passrole'
Resource: '*'
Positive test num. 8 - yaml file
Positive test num. 9 - json file
{
"Resources": {
"CFNUser": {
"Type": "AWS::IAM::User",
"Properties": {
"LoginProfile": {
"Password": "Password",
"PasswordResetRequired": false
},
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
}
}
]
}
}
}
}
Positive test num. 10 - json file
Positive test num. 11 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "CFNUsers",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"safe_action_1",
"secretsmanager:GetSecretValue",
"safe_action_2"
],
"Resource": "*"
}
]
}
}
}
}
}
Positive test num. 12 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"ssm:GetParameter",
"s3:*"
],
"Resource": "*"
}
]
}
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
CFNUser:
Type: AWS::IAM::User
Properties:
LoginProfile:
Password: 'Password'
PasswordResetRequired: false
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'safe_action'
Resource: '*'
Negative test num. 2 - json file
{
"Resources": {
"CreateTestDBPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "safe_action",
"Resource": "*"
}
]
},
"Users": ["TestUser"],
"Description": "Policy for creating a test database"
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootGroup:
Type: 'AWS::IAM::Group'
Properties:
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'safe_action'
Resource: '*'
- PolicyName: fullctrl
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:passrole'
Resource: '*'
Negative test num. 4 - yaml file
Negative test num. 5 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'safe_action'
Resource: '*'
- PolicyName: fullctrl
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:passrole'
Resource: '*'
Negative test num. 6 - yaml file
Negative test num. 7 - json file
{
"Resources": {
"CFNUser": {
"Type": "AWS::IAM::User",
"Properties": {
"LoginProfile": {
"Password": "Password",
"PasswordResetRequired": false
},
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"safe_action"
],
"Resource": "*"
}
]
}
}
]
}
}
}
}