Homepage
About Snyk

IAM policy grants full administrative rights Affecting IAM service in AWS

0.0
high
    Severity Framework Snyk CCSS
    Rule category IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM ISO-27001 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00025
  • credit Snyk Research Team
Report a new misconfiguration Found a mistake?

Description

IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.

How to fix?

Configure the aws_iam_policy, aws_iam_group_policy, aws_iam_role_policy, aws_iam_user_policy, or aws_iam_policy_document so the effect is not set to "Allow" and actions and resources are not set to *.

Example Configuration

# Example aws_iam_policy
resource "aws_iam_policy" "my_test_policy_1" {
  name        = "test_policy_1"
  path        = "/"
  description = "My test policy 1"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["ec2:StartInstances"],
      "Effect": "Allow",
      "Resource": ["*"]
    }
  ]
}
EOF
}

# Example aws_iam_policy_document
data "aws_iam_policy_document" "my_test_policy_2_policy" {
  statement {
    effect = "Allow"
    actions = ["ec2:StartInstances"]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = ["*"]
    resources = ["${aws_iam_policy.my_test_policy_1.arn}"]
  }

  statement {
    effect = "Deny"
    actions = ["*"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "my_test_policy_2" {
  name        = "test_policy_2"
  path        = "/"
  description = "My test policy 2"
  policy = "${data.aws_iam_policy_document.my_test_policy_2_policy.json}"
}