Homepage

IAM policy grants full administrative rights Affecting IAM service in AWS

Severity

0.0
high
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Least Privilege

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
AWS-Well-ArchitectedCIS-AWSCIS-ControlsCSA-CCMISO-27001PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00025
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.

How to fix?

Configure the aws_iam_policy, aws_iam_group_policy, aws_iam_role_policy, aws_iam_user_policy, or aws_iam_policy_document so the effect is not set to "Allow" and actions and resources are not set to *.

Example configuration:

# Example aws_iam_policy
resource "aws_iam_policy" "my_test_policy_1" {
  name        = "test_policy_1"
  path        = "/"
  description = "My test policy 1"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["ec2:StartInstances"],
      "Effect": "Allow",
      "Resource": ["*"]
    }
  ]
}
EOF
}

# Example aws_iam_policy_document
data "aws_iam_policy_document" "my_test_policy_2_policy" {
  statement {
    effect = "Allow"
    actions = ["ec2:StartInstances"]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = ["*"]
    resources = ["${aws_iam_policy.my_test_policy_1.arn}"]
  }

  statement {
    effect = "Deny"
    actions = ["*"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "my_test_policy_2" {
  name        = "test_policy_2"
  path        = "/"
  description = "My test policy 2"
  policy = "${data.aws_iam_policy_document.my_test_policy_2_policy.json}"
}