IAM policy allows for data exfiltration
- Query id: ba2ed23b-52d3-45ca-be25-f6c358d45abd
- Query name: IAM policy allows for data exfiltration
- Platform: Terraform
- Severity: Medium
- Category: Resource Management
- CWE: 200
- Risk score: 3.0
- URL: Github
Description¶
This policy contains actions that can retrieve information unrestricted and could lead to data exfiltration
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_policy" "positive1" {
name = "positive1_${var.environment}"
description = "Kai Monkey SSM Secrets Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KaiMonkeySSMSecretsPolicyGet",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
},
{
"Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"ssm:GetParameters",
"ssm:GetParameter",
"s3:GetObject",
"ssm:GetParametersByPath",
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 2 - tf file
resource "aws_iam_policy" "positive2" {
name = "positive2"
description = "Provides full access to AWS services and resources."
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
}
POLICY
}
Positive test num. 3 - tf file
resource "aws_iam_group_policy" "positive3" {
name = "positive3_${var.environment}"
group = aws_iam_group.example_group.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleGroupPolicyString",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Sid": "ExampleGroupPolicyArray",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 4 - tf file
resource "aws_iam_user_policy" "positive4" {
name = "positive4_${var.environment}"
user = aws_iam_user.example_user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleUserPolicyString",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
},
{
"Sid": "ExampleUserPolicyArray",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 5 - tf file
resource "aws_iam_role_policy" "positive5" {
name = "positive5_${var.environment}"
role = aws_iam_role.example_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleRolePolicyString",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*"
},
{
"Sid": "ExampleRolePolicyArray",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "*"
}
]
}
EOF
}
Positive test num. 6 - tf file
data "aws_iam_policy_document" "positive6" {
statement {
sid = "positive6"
effect = "Allow"
actions = [
"s3:GetObject",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"secretsmanager:GetSecretValue",
"*",
"s3:*",
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "positive6_array" {
statement {
sid = "positive6_array_1"
effect = "Allow"
actions = [
"s3:GetObject"
]
resources = ["*"]
}
statement {
sid = "positive6_array_2"
effect = "Allow"
actions = [
"*"
]
resources = ["*"]
}
}
Positive test num. 7 - tf file
module "iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
name_prefix = "positive7"
path = "/"
description = "My example policy"
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_policy" "negative1" {
name = "negative1_${var.environment}"
description = "Kai Monkey SSM Secrets Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KaiMonkeySSMSecretsPolicyGet",
"Effect": "Allow",
"Action": "safe_string_action",
"Resource": "*"
},
{
"Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
"Effect": "Allow",
"Action": [
"safe_array_action"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 2 - tf file
resource "aws_iam_group_policy" "negative10" {
name = "negative10_${var.environment}"
group = aws_iam_group.example_group.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleGroupPolicyString",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "*"
},
{
"Sid": "ExampleGroupPolicyArray",
"Effect": "Deny",
"Action": [
"ssm:GetParameter"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 3 - tf file
resource "aws_iam_user_policy" "negative11" {
name = "negative11_${var.environment}"
user = aws_iam_user.example_user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleUserPolicyString",
"Effect": "Deny",
"Action": "ssm:GetParameters",
"Resource": "*"
},
{
"Sid": "ExampleUserPolicyArray",
"Effect": "Deny",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 4 - tf file
resource "aws_iam_role_policy" "negative12" {
name = "negative12_${var.environment}"
role = aws_iam_role.example_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleRolePolicyString",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
},
{
"Sid": "ExampleRolePolicyArray",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 5 - tf file
resource "aws_iam_group_policy" "negative2" {
name = "negative2_${var.environment}"
group = aws_iam_group.example_group.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleGroupPolicyString",
"Effect": "Allow",
"Action": "safe_string_action",
"Resource": "*"
},
{
"Sid": "ExampleGroupPolicyArray",
"Effect": "Allow",
"Action": [
"safe_array_action"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 6 - tf file
resource "aws_iam_user_policy" "negative3" {
name = "negative3_${var.environment}"
user = aws_iam_user.example_user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleUserPolicyString",
"Effect": "Allow",
"Action": "safe_string_action",
"Resource": "*"
},
{
"Sid": "ExampleUserPolicyArray",
"Effect": "Allow",
"Action": [
"safe_array_action"
],
"Resource": "*"
}
]
}
EOF
}
Negative test num. 7 - tf file
resource "aws_iam_role_policy" "negative4" {
name = "negative4_${var.environment}"
role = aws_iam_role.example_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleRolePolicyString",
"Effect": "Allow",
"Action": "safe_string_action",
"Resource": "*"
},
{
"Sid": "ExampleRolePolicyArray",
"Effect": "Allow",
"Action": [
"safe_array_action"
],
"Resource": "*"
}
]
}
EOF
}