IAM policy allows privilege escalation Affecting IAM service in AWS


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    IAM / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00752
  • credit Snyk Research Team

Description

IAM policies grant permissions that can be exploited to escalate privileges. Privilege escalation can lead to unauthorized access to resources and administrative functions, compromising the security posture of the cloud environment.

How to fix?

Ensure that the policy.Statement.Action attribute in aws_iam_policy, aws_iam_user_policy, aws_iam_role_policy, aws_iam_group_policy, and aws_iam_role resource is not set to a value from the below list.

["*", "iam:*", "iam:CreatePolicyVersion", "iam:SetDefaultPolicyVersion", "iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:UpdateAccessKey", "iam:CreateServiceSpecificCredential", "iam:ResetServiceSpecificCredential", "iam:AttachUserPolicy", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:PutUserPolicy", "iam:PutGroupPolicy", "iam:PutRolePolicy", "iam:AddUserToGroup", "iam:UpdateAssumeRolePolicy", "sts:AssumeRole", "iam:UploadSSHPublicKey", "iam:DeactivateMFADevice", "iam:ResyncMFADevice", "iam:UpdateSAMLProvider", "iam:ListSAMLProviders", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:ListOpenIDConnectProviders"]

Example Configuration

resource "aws_iam_user" "aws-user" {
  name          = "basic_user"
  force_destroy = true
}

resource "aws_iam_policy" "allowed-policy" {
  name        = "test_policy-iam"
  path        = "/"
  description = "My test policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "iam:CreateUser",
          "iam:DeleteUserPolicy",
          "iam:CreateGroup",
          "iam:ListGroups"
        ]
        Effect   = "Allow"
        Resource = "arn:aws:iam::*:user/$${aws:username}"
      },
      {
        Action   = ["iam:*"]
        Effect   = "Deny"
        Resource = "arn:aws:iam::*:user/$${aws:username}"
      },
    ]
  })
}

resource "aws_iam_policy_attachment" "allowed-attachment" {
  name       = "iam_policy_attachment"
  users      = [aws_iam_user.aws-user.name]
  policy_arn = aws_iam_policy.allowed-policy.arn
}

data "aws_iam_policy_document" "assume-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::123456789012:user/terraform-snyk"]
    }
  }
}

resource "aws_iam_role" "allowed-role" {
  name               = "test_inline_policy_role"
  assume_role_policy = data.aws_iam_policy_document.assume-policy.json

  inline_policy {
    name = "my_inline_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action = [
            "iam:CreateUser",
            "iam:DeleteUserPolicy",
            "iam:CreateGroup",
            "iam:ListGroups"
          ]
          Effect   = "Allow"
          Resource = "arn:aws:iam::*:user/$${aws:username}"
        },
        {
          Action   = ["iam:*"]
          Effect   = "Deny"
          Resource = "arn:aws:iam::*:user/$${aws:username}"
        },
      ]
    })
  }
}