IAM policies allow broad list actions on S3 buckets Affecting IAM service in AWS

Snyk CCSS

IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CSA-CCM ISO-27001 SOC-2

Snyk ID SNYK-CC-00120
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If a malicious actor gains access to a role with a policy that includes broad list actions such as ListAllMyBuckets, they would be able to enumerate all buckets and potentially extract sensitive data.

How to fix?

Ensure that the policy attribute is set to a policy that does not have wildcard actions.

Following actions are forbidden when they are combined with an unscoped resource.

Actions:

s3:*
s3:List*
s3:ListAllMyBuckets

Resources:

*
^arn:aws[-0-9a-z]*:s3:::[*]$

Example Configuration

resource "aws_iam_policy" "valid" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:PutObject",
          "s3:CreateBucket",
          "s3:GetBucketLocation"
        ]
        Effect   = "Allow"
        Resource = "arn:aws:s3:::foobar"
      }
    ]
  })
}

resource "aws_iam_policy" "valid" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = ["s3:List*"]
        Effect   = "Allow"
        Resource = "arn:aws:s3:::my-bucket-0123456789"
      }
    ]
  })
}

Terraform

References

Controlling access to AWS resources using policies