terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin
semgrep
Author
unknown
Download Count*
License
Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Run Locally
Run in CI
Defintion
rules:
- id: aws-iam-admin-policy-ssoadmin
patterns:
- pattern-inside: |
resource "aws_ssoadmin_permission_set_inline_policy" $ANYTHING {
...
}
- pattern: inline_policy = "$STATEMENT"
- metavariable-pattern:
metavariable: $STATEMENT
language: json
patterns:
- pattern-not-inside: |
{..., "Effect": "Deny", ...}
- pattern-either:
- pattern: >
{..., "Action": [..., "*", ...], "Resource": [..., "*",
...], ...}
- pattern: |
{..., "Action": "*", "Resource": "*", ...}
- pattern: |
{..., "Action": "*", "Resource": [...], ...}
- pattern: |
{..., "Action": [...], "Resource": "*", ...}
message: Detected admin access granted in your policy. This means anyone with
this policy can perform administrative actions. Instead, limit actions and
resources to what you need according to least privilege.
metadata:
category: security
technology:
- aws
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: ERROR
Examples
aws-iam-admin-policy-ssoadmin.tf
resource "aws_ssoadmin_permission_set_inline_policy" "pass1" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
inline_policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:ListBucket*",
"s3:HeadBucket",
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"arn:aws:s3:::b2",
"arn:aws:s3:::b2/*"
],
"Sid": ""
},
{
"Action": "s3:PutObject*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::b1/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_ssoadmin_permission_set_inline_policy" "fail1" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
# ruleid: aws-iam-admin-policy-ssoadmin
inline_policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:HeadBucket",
"*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"*"
],
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
Short Link: https://sg.run/jzgY