IAM role attached to instance profile allows broad list actions on S3 buckets Affecting EC2 service in AWS

Severity Framework Snyk CCSS

Rule category IAM / Least Privilege

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-Google CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00208
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. A compromised EC2 instance with an IAM role allowing broad list actions on S3 buckets could survey all buckets and potentially access sensitive data.

How to fix?

Remove any invalid actions from the aws_iam_policy or the inline policy in the aws_iam_role or aws_iam_role_policy associated with an aws_iam_instance_profile.

Invalid actions:

"s3:ListAllMyBuckets"
"s3:*"
"s3:List*"

Example Configuration

resource "aws_iam_policy" "policy" {
  name        = "aa_rego_iam_policy"
  path        = "/"
  description = "My test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
                "s3:ListBucket",
                "s3:HeadBucket"
            ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

Terraform

References

Using instance profiles