IAM Delegated admin is misconfigured Affecting IAM service in AWS

Snyk CCSS

IAM / Accounts Allocation

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00711
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

AWS IAM delegated administrators can create IAM entities but must enforce permission boundaries to prevent privilege escalation. Omitting this condition poses a risk of privilege escalation.

How to fix?

Update the IAM policy of the aws_iam_role or aws_iam_user to ensure the proper Condition exists for the delegated administrator.

Example Configuration

resource "aws_iam_user" "valid-user-1" {
  name = "valid-user-1"
  
  permissions_boundary = aws_iam_policy.policy1.arn
  # other required fields here
}

resource "aws_iam_policy" "policy1" {
  name = "policy1"
  path = "/"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = ["iam:Create*"]
        Effect   = "Allow"
        Resource = "*"
        Condition = {
          "StringEquals" = {
            "iam:PermissionsBoundary" = "<iam-policy-arn>",
          }
        }
      },
    ]
  })
}

IAM Delegated admin is misconfigured Affecting IAM service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform

References