Severity Framework
Snyk CCSS
Rule category
IAM / Policy
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00267
- credit Snyk Research Team
Description
Wildcard principal has been specified in Glacier Vault access policy. For resource-based policies, using a wildcard (*) with an Allow effect grants access to all users, including anonymous users (public access).
How to fix?
Set the access_policy.Statement.Principal
attribute in aws_glacier_vault
to a value other than *
or {“AWS:“*”}
. Set the Statement.Effect
attribute in aws_glacier_vault
to Deny
.
Example Configuration
resource "aws_glacier_vault" "allowed3" {
name = "allowed3"
access_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Sid" : "disable-permissions"
"Principal": "*"
"Action" : [
"glacier:AbortVaultLock",
"glacier:CreateVault",
"glacier:DeleteArchive",
"glacier:DeleteVaultAccessPolicy",
"glacier:AbortMultipartUpload"
]
"Effect" : "Deny"
"Resource" : "arn:aws:glacier:us-east-1:824152625835:vaults/allowed3"
},
]
})
}