Glue policy has wildcard principal Affecting Glue service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Policy

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CSA-CCMISO-27001SOC-2
  • Snyk IDSNYK-CC-00237
  • creditSnyk Research Team

Description

Wildcard principal has been specified in glue resource policy. Any IAM entity matching the wildcard will be able to make a request for an action or operation on the AWS resource.

How to fix?

Set the policy.Statement.Principal or policy.Statement.Principal.AWS attribute in aws_glue_resource_policyresource to value other than *.

Example Configuration


resource "aws_glue_resource_policy" "allow" {
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Principal" : {
          "AWS" : [
            "arn:aws:iam::123456789012:user/terraform-snyk",
          ]
        },
        "Effect" : "Allow",
        "Action" : [
          "glue:GetDatabases",
          "glue:GetPartitions",
          "glue:GetTable",
          "glue:GetTables",
          "glue:GetConnection"
        ],
        "Resource" : [
          "arn:aws:glue:us-east-1:123456789012:*"
        ]
      }
    ]
  })
}