CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00030
- creditSnyk Research Team
Description
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
How to fix?
Use aws_iam_group_policy or aws_iam_role_policy resources to declare the policy inline, or attach the policy to aws_iam_group or aws_iam_role resources.
- Ensure that IAM policy definitions are not declared inline with the aws_iam_user_policy and aws_iam_user resources or attached to aws_iam_user resources with aws_iam_policy. Instead, IAM policy definitions should be declared inline with aws_iam_group_policy and aws_iam_role_policy resources, or attached to aws_iam_group and aws_iam_role resources with aws_iam_policy.
- Ensure that IAM policy definitions are not declared using aws_iam_policy_attachment, as it creates exclusive attachments of IAM policies across the entire AWS account. Instead, consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment.
Example configuration:
resource "aws_iam_group_policy" "example" {
name = "my_group_policy"
group = aws_iam_group.my_group.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:ListAllMyBuckets",
]
Effect = "Deny"
},
]
})
# other required fields here
}
resource "aws_iam_group" "my_group" {
name = "my_group"
path = "/users/"
}
Configure a Policies field for an AWS::IAM::Group or AWS::IAM::Role, or configure a Groups or Roles field for an AWS::IAM::Policy.
- Ensure that the CloudFormation template does NOT contain either of the following:
- An AWS::IAM::User with a Policies field.
- An AWS::IAM::Policy with a Users field.
- Instead, declare an IAM policy via one of the following methods:
- An AWS::IAM::Group with a Policies field.
- An AWS::IAM::Role with a Policies field.
- An AWS::IAM::Policy with a Groups or Roles field.
Example configuration:
JSON example configuration:
{
"Group01": {
"Type": "AWS::IAM::Group"
},
"ValidPolicy01": {
"Type": "AWS::IAM::Policy",
"Properties": {
"Groups": [
{ "Ref" : "Group01" }
],
"PolicyName": "valid_policy_01",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:StartInstances"
],
"Resource": [
"*"
]
}
}
}
}
# other required fields here
}
YAML example configuration:
Group01:
Type: AWS::IAM::Group
# other required fields here
ValidPolicy01:
Type: AWS::IAM::Policy
Properties:
Groups:
- !Ref Group01
PolicyName: valid_policy_01
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Action:
- 'ec2:StartInstances'
Resource:
- '*'
# other required fields here