Wildcard principal specified in REST API access policy Affecting API Gateway (REST APIs) service in AWS
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
IAM/ Access
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CSA-CCMISO-27001SOC-2
- Snyk IDSNYK-CC-00288
- creditSnyk Research Team
Description
Using a wildcard principal grants unnecessary access to any IAM entity in the account.
How to fix?
Set Principal attribute in the policy to specific entities, for example arn:aws:iam::123456789012:user/JohnDoe.
Example configuration:
resource "aws_api_gateway_rest_api_policy" "example" {
rest_api_id = aws_api_gateway_rest_api.example.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/test-user"
]
},
"Action": "execute-api:Invoke",
"Resource": "aws_api_gateway_rest_api.example.execution_arn",
"Condition": {
"IpAddress": {
"aws:SourceIp": "123.123.123.123/32"
}
}
}
]
}
EOF
}
Set Principal attribute in the policy to specific entities for example arn:aws:iam::123456789012:user/JohnDoe.