CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00208
- creditSnyk Research Team
Description
Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. A compromised EC2 instance with an IAM role allowing broad list actions on S3 buckets could survey all buckets and potentially access sensitive data.
How to fix?
Remove any invalid actions from the aws_iam_policy or the inline policy in the aws_iam_role or aws_iam_role_policy associated with an aws_iam_instance_profile.
Invalid actions:
"s3:ListAllMyBuckets""s3:*""s3:List*"
Example Configuration
resource "aws_iam_policy" "policy" {
name = "aa_rego_iam_policy"
path = "/"
description = "My test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:HeadBucket"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}