Glue policy has wildcard action Affecting Glue service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Policy

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CSA-CCMISO-27001SOC-2
  • Snyk IDSNYK-CC-00259
  • creditSnyk Research Team

Description

Glue policy has wildcard action, which should not be used. Wildcard actions grant broad permissions. The best practice recommends to providing only required permissions explicitly.

How to fix?

Set the policy.Statement.Action attribute in aws_glue_resource_policy resource to a value other than glue:*.

Example Configuration

resource "aws_glue_resource_policy" "allowed" {
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Principal" : {
          "AWS" : [
            "arn:aws:iam::123456789012:user/terraform-snyk"
          ]
        },
        "Effect" : "Allow",
        "Action" : [
          "glue:CreateSession",
          "glue:RunStatement",
          "glue:GetStatement",
          "glue:ListStatements",
        ],
        "Resource" : [
        "arn:aws:glue:us-east-1:123456789012:*"]
      }
    ]
    }
  )
}