CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00710
- creditSnyk Research Team
Description
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Permissions boundaries that are too broad present an opportunity for an IAM entity to exceed its intended set of permissions.
How to fix?
Update the IAM policy referred to by the permissions_boundary attribute of aws_iam_role or aws_iam_user to be less permissible.
Example Configuration
resource "aws_iam_role" "valid-role-1" {
name = "valid-role-1"
permissions_boundary = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
# other required fields here
}
resource "aws_iam_role" "valid-role-1" {
name = "valid-role-1"
permissions_boundary = aws_iam_policy.policy1.arn
# other required fields here
}
resource "aws_iam_policy" "policy1" {
name = "policy1"
path = "/"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:ListUsers",
]
Effect = "Allow"
Resource = "*"
},
]
})
}