Homepage
About Snyk

Wildcard principal in Glacier Vault access policy Affecting Glacier service in AWS

Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Policy

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00267
  • credit Snyk Research Team
Report a new misconfiguration Found a mistake?

Description

Wildcard principal has been specified in Glacier Vault access policy. For resource-based policies, using a wildcard (*) with an Allow effect grants access to all users, including anonymous users (public access).

How to fix?

Set the access_policy.Statement.Principal attribute in aws_glacier_vault to a value other than * or {“AWS:“*”}. Set the Statement.Effect attribute in aws_glacier_vault to Deny.

Example Configuration


resource "aws_glacier_vault" "allowed3" {
  name = "allowed3"
  access_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        "Sid"    : "disable-permissions"
        "Principal": "*"
        "Action" : [
          "glacier:AbortVaultLock",
          "glacier:CreateVault",
          "glacier:DeleteArchive",
          "glacier:DeleteVaultAccessPolicy",
          "glacier:AbortMultipartUpload"
        ]
        "Effect"   : "Deny"
        "Resource" : "arn:aws:glacier:us-east-1:824152625835:vaults/allowed3"
      },
    ]
  })
}

Terraform