CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00120
- creditSnyk Research Team
Description
If a malicious actor gains access to a role with a policy that includes broad list actions such as ListAllMyBuckets, they would be able to enumerate all buckets and potentially extract sensitive data.
How to fix?
Ensure that the policy attribute is set to a policy that does not have wildcard actions.
Following actions are forbidden when they are combined with an unscoped resource.
Actions:
s3:*s3:List*s3:ListAllMyBuckets
Resources:
*^arn:aws[-0-9a-z]*:s3:::[*]$
Example configuration:
resource "aws_iam_policy" "valid" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:PutObject",
"s3:CreateBucket",
"s3:GetBucketLocation"
]
Effect = "Allow"
Resource = "arn:aws:s3:::foobar"
}
]
})
}
resource "aws_iam_policy" "valid" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:List*"]
Effect = "Allow"
Resource = "arn:aws:s3:::my-bucket-0123456789"
}
]
})
}