IAM Policy Grants Full Permissions
- Query id: 575a2155-6af1-4026-b1af-d5bc8fe2a904
- Query name: IAM Policy Grants Full Permissions
- Platform: Terraform
- Severity: High
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_user" "positive1" {
name = "${local.resource_prefix.value}-user"
force_destroy = true
tags = {
Name = "${local.resource_prefix.value}-user"
Environment = local.resource_prefix.value
}
}
resource "aws_iam_access_key" "positive2" {
user = aws_iam_user.user.name
}
resource "aws_iam_user_policy" "positive3" {
name = "excess_policy"
user = aws_iam_user.user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "username" {
value = aws_iam_user.user.name
}
output "secret" {
value = aws_iam_access_key.user.encrypted_secret
}
Positive test num. 2 - tf file
resource "aws_iam_policy" "s3-permission" {
name = "s3-permission"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
Positive test num. 3 - tf file
resource "aws_s3_bucket_public_access_block" "example" {
count = length(var.example-arn)
bucket = var.example-id[count.index]
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
data "aws_iam_policy_document" "example-0" {
statement {
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
actions = [
"*",
]
resources = [
var.example-arn[0],
"${var.example-arn[0]}/*",
]
}
}
resource "aws_s3_bucket_policy" "example-0" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[0]
policy = data.aws_iam_policy_document.example-0.json
}
data "aws_iam_policy_document" "example-1" {
statement {
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
actions = [
"s3:*",
]
resources = [
var.example-arn[1],
"${var.example-arn[1]}/*",
]
}
}
resource "aws_s3_bucket_policy" "example-1" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[1]
policy = data.aws_iam_policy_document.example-1.json
}
data "aws_iam_policy_document" "example-2" {
statement {
principals {
type = "AWS"
#identifiers = ["*"]
identifiers = ["arn:aws:iam::123456789012:role/backup-role"]
}
effect = "Allow"
actions = [
"s3:Delete*",
]
resources = [
var.example-arn[2],
"${var.example-arn[2]}/*",
]
}
}
resource "aws_s3_bucket_policy" "example-2" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[2]
policy = data.aws_iam_policy_document.example-2.json
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_user" "negative1" {
name = "${local.resource_prefix.value}-user"
force_destroy = true
tags = {
Name = "${local.resource_prefix.value}-user"
Environment = local.resource_prefix.value
}
}
resource "aws_iam_access_key" "negative2" {
user = aws_iam_user.user.name
}
resource "aws_iam_user_policy" "negative3" {
name = "excess_policy"
user = aws_iam_user.user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"s3:*",
"lambda:*",
"cloudwatch:*"
],
"Effect": "Allow",
"Resource": "SomeResource"
}
]
}
EOF
}
output "username" {
value = aws_iam_user.user.name
}
output "secret" {
value = aws_iam_access_key.user.encrypted_secret
}
Negative test num. 2 - tf file
resource "aws_iam_policy" "s3-permission" {
name = "s3-permission"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"s3:*",
"lambda:*",
"cloudwatch:*"
],
"Effect": "Allow",
"Resource": "SomeResource"
}
]
}
EOF
}
Negative test num. 3 - tf file
resource "aws_iam_policy" "s3-permission" {
name = "s3-permission"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
EOF
}
Negative test num. 4 - tf file
resource "aws_s3_bucket_public_access_block" "example" {
count = length(var.example-arn)
bucket = var.example-id[count.index]
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
data "aws_iam_policy_document" "example-0" {
statement {
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
actions = [
"*",
]
resources = [
var.example-arn[0],
]
}
}
resource "aws_s3_bucket_policy" "example-0" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[0]
policy = data.aws_iam_policy_document.example-0.json
}
data "aws_iam_policy_document" "example-1" {
statement {
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
actions = [
"s3:*",
]
resources = [
var.example-arn[1],
]
}
}
resource "aws_s3_bucket_policy" "example-1" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[1]
policy = data.aws_iam_policy_document.example-1.json
}
data "aws_iam_policy_document" "example-2" {
statement {
principals {
type = "AWS"
#identifiers = ["*"]
identifiers = ["arn:aws:iam::123456789012:role/backup-role"]
}
effect = "Allow"
actions = [
"s3:DeleteObject",
]
resources = [
var.example-arn[2],
"${var.example-arn[2]}/*",
]
}
}
resource "aws_s3_bucket_policy" "example-2" {
depends_on = [aws_s3_bucket_public_access_block.example]
bucket = var.example-id[2]
policy = data.aws_iam_policy_document.example-2.json
}