Wildcard principal specified in REST API access policy Affecting API Gateway (REST APIs) service in AWS

Snyk CCSS

IAM / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM ISO-27001 SOC-2

Snyk ID SNYK-CC-00288
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Using a wildcard principal grants unnecessary access to any IAM entity in the account.

How to fix?

Set Principal attribute in the policy to specific entities, for example arn:aws:iam::123456789012:user/JohnDoe.

Example Configuration

resource "aws_api_gateway_rest_api_policy" "example" {
  rest_api_id = aws_api_gateway_rest_api.example.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/test-user"
        ]
      },
      "Action": "execute-api:Invoke",
      "Resource": "aws_api_gateway_rest_api.example.execution_arn",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "123.123.123.123/32"
        }
      }
    }
  ]
}
EOF
}

Terraform

References

Apply least-privilege permissions