Homepage

IAM policy allows privilege escalation Affecting IAM service in AWS

Severity

0.0
high
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00752
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

IAM policies grant permissions that can be exploited to escalate privileges. Privilege escalation can lead to unauthorized access to resources and administrative functions, compromising the security posture of the cloud environment.

How to fix?

Ensure that the policy.Statement.Action attribute in aws_iam_policy, aws_iam_user_policy, aws_iam_role_policy, aws_iam_group_policy, and aws_iam_role resource is not set to a value from the below list.

["*", "iam:*", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:UpdateAccessKey", "iam:CreateServiceSpecificCredential", "iam:ResetServiceSpecificCredential", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "sts:AssumeRole", "iam:UploadSSHPublicKey", "iam:DeactivateMFADevice", "iam:ResyncMFADevice", "iam:UpdateSAMLProvider", "iam:ListSAMLProviders", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:ListOpenIDConnectProviders"]

Example configuration:

resource "aws_iam_user" "aws-user" {
  name          = "basic_user"
  force_destroy = true
}

resource "aws_iam_policy" "allowed-policy" {
  name        = "test_policy-iam"
  path        = "/"
  description = "My test policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:CreateUser",
          "iam:DeleteUserPolicy",
          "iam:CreateGroup",
          "iam:ListGroups"
        ]
        Effect   = "Allow"
        Resource = "arn:aws:iam::*:user/$${aws:username}"
      },
      {
        Action   = ["iam:*"]
        Effect   = "Deny"
        Resource = "arn:aws:iam::*:user/$${aws:username}"
      },
    ]
  })
}

resource "aws_iam_policy_attachment" "allowed-attachment" {
  name       = "iam_policy_attachment"
  users      = [aws_iam_user.aws-user.name]
  policy_arn = aws_iam_policy.allowed-policy.arn
}

data "aws_iam_policy_document" "assume-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::123456789012:user/terraform-snyk"]
    }
  }
}

resource "aws_iam_role" "allowed-role" {
  name               = "test_inline_policy_role"
  assume_role_policy = data.aws_iam_policy_document.assume-policy.json

  inline_policy {
    name = "my_inline_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action = [
            "iam:CreateUser",
            "iam:DeleteUserPolicy",
            "iam:CreateGroup",
            "iam:ListGroups"
          ]
          Effect   = "Allow"
          Resource = "arn:aws:iam::*:user/$${aws:username}"
        },
        {
          Action   = ["iam:*"]
          Effect   = "Deny"
          Resource = "arn:aws:iam::*:user/$${aws:username}"
        },
      ]
    })
  }
}