IAM Policies With Full Privileges
- Query id: 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84
- Query name: IAM Policies With Full Privileges
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- Risk score: 6.8
- URL: Github
Description¶
IAM policies shouldn't allow full administrative privileges (for all resources)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_role_policy" "positive1" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"*",
]
}
}
Positive test num. 2 - tf file
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"read"
]
resources = [
"*",
]
}
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"*",
]
}
statement {
sid = "1"
effect = "Allow"
actions = [
"iam:*"
]
resources = [
"*",
]
}
}
Positive test num. 3 - tf file
resource "aws_iam_role_policy" "positive3" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": "*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"iam:*"
]
resources = [
"*",
]
}
}
Positive test num. 4 - tf file
resource "aws_iam_user_policy" "positive4-1" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_user_policy" "positive4-2" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 5 - tf file
resource "aws_iam_group_policy" "positive5-1" {
name = "my_developer_policy"
group = aws_iam_group.my_developers.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy" "positive5-2" {
name = "my_developer_policy"
group = aws_iam_group.my_developers.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 6 - tf file
resource "aws_iam_policy" "positive6-1" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy" "positive6-2" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": "*"
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_role_policy" "negative1" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"arn:aws:s3:::*",
]
}
}
Negative test num. 2 - tf file
resource "aws_iam_role_policy" "negative2" {
name = "apigateway-cloudwatch-logging"
role = aws_iam_role.apigateway_cloudwatch_logging.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"*"
]
resources = [
"arn:aws:s3:::*",
]
}
statement {
sid = "1"
effect = "Allow"
actions = [
"read"
]
resources = [
"*",
]
}
}
Negative test num. 3 - tf file
resource "aws_iam_user_policy" "negative3-1" {
name = "managed-policy-wildcard"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_user_policy" "negative3-2" {
name = "managed-policy-wildcard"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}
Negative test num. 4 - tf file
resource "aws_iam_group_policy" "negative4-1" {
name = "my_developer_policy"
group = aws_iam_group.my_developers.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy" "negative4-2" {
name = "my_developer_policy"
group = aws_iam_group.my_developers.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}
Negative test num. 5 - tf file
resource "aws_iam_policy" "negative5-1" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["some:action"],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy" "negative5-2" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}