terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal
semgrep
Author
unknown
Download Count*
License
Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:<identity>
.
Run Locally
Run in CI
Defintion
rules:
- id: aws-glacier-vault-any-principal
patterns:
- pattern-inside: |
resource "aws_glacier_vault" $ANYTHING {
...
}
- pattern: access_policy = "$STATEMENT"
- metavariable-pattern:
metavariable: $STATEMENT
language: json
patterns:
- pattern-inside: |
{..., "Effect": "Allow", ...}
- pattern-either:
- pattern: |
"Principal": "*"
- pattern: |
"Principal": {..., "AWS": "*", ...}
- pattern-inside: |
"Principal": {..., "AWS": ..., ...}
- pattern-regex: |
(^\"arn:aws:iam::\*:(.*)\"$)
message: "Detected wildcard access granted to Glacier Vault. This means anyone
within your AWS account ID can perform actions on Glacier resources.
Instead, limit to a specific identity in your account, like this:
`arn:aws:iam::<account_id>:<identity>`."
metadata:
category: security
technology:
- aws
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: ERROR
Examples
aws-glacier-vault-any-principal.tf
# pass
resource "aws_glacier_vault" "my_archive1" {
name = "MyArchive"
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": "*",
"Effect": "Deny",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
# fail
resource "aws_glacier_vault" "my_archive2" {
name = "MyArchive"
# ruleid: aws-glacier-vault-any-principal
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": {
"AWS": [
"arn:aws:iam::123456789101:role/vault-reader",
"*"
]
},
"Effect": "Allow",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
# fail
resource "aws_glacier_vault" "my_archive3" {
name = "MyArchive"
# ruleid: aws-glacier-vault-any-principal
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": {
"AWS": "arn:aws:iam::*:role/vault-reader"
},
"Effect": "Allow",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
# fail
resource "aws_glacier_vault" "my_archive4" {
name = "MyArchive"
# ruleid: aws-glacier-vault-any-principal
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": {
"AWS": "*"
},
"Effect": "Allow",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
# fail
resource "aws_glacier_vault" "my_archive5" {
name = "MyArchive"
# ruleid: aws-glacier-vault-any-principal
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": "*",
"Effect": "Allow",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
# pass
resource "aws_glacier_vault" "my_archive6" {
name = "MyArchive"
access_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "add-read-only-perm",
"Principal": "arn:aws:iam::123456789101:role/vault-reader",
"Effect": "Allow",
"Action": [
"glacier:InitiateJob",
"glacier:GetJobOutput"
],
"Resource": "arn:aws:glacier:eu-west-1:432981146916:vaults/MyArchive"
}
]
}
EOF
}
Short Link: https://sg.run/XN9K