Severity Framework
Snyk CCSS
Rule category
IAM / Access Control
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00710
- credit Snyk Research Team
Description
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Permissions boundaries that are too broad present an opportunity for an IAM entity to exceed its intended set of permissions.
How to fix?
Update the IAM policy referred to by the permissions_boundary attribute of aws_iam_role or aws_iam_user to be less permissible.
Example Configuration
resource "aws_iam_role" "valid-role-1" {
name = "valid-role-1"
permissions_boundary = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
# other required fields here
}
resource "aws_iam_role" "valid-role-1" {
name = "valid-role-1"
permissions_boundary = aws_iam_policy.policy1.arn
# other required fields here
}
resource "aws_iam_policy" "policy1" {
name = "policy1"
path = "/"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:ListUsers",
]
Effect = "Allow"
Resource = "*"
},
]
})
}