Severity Framework
Snyk CCSS
Rule category
IAM / Least Privilege
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-Google
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00208
- credit Snyk Research Team
Description
Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. A compromised EC2 instance with an IAM role allowing broad list actions on S3 buckets could survey all buckets and potentially access sensitive data.
How to fix?
Remove any invalid actions from the aws_iam_policy
or the inline policy in the aws_iam_role
or aws_iam_role_policy
associated with an aws_iam_instance_profile
.
Invalid actions:
"s3:ListAllMyBuckets"
"s3:*"
"s3:List*"
Example Configuration
resource "aws_iam_policy" "policy" {
name = "aa_rego_iam_policy"
path = "/"
description = "My test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:HeadBucket"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}