terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy
semgrep
Author
unknown
Download Count*
License
Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Run Locally
Run in CI
Defintion
rules:
- id: aws-iam-admin-policy
patterns:
- pattern-inside: |
resource "aws_iam_policy" $ANYTHING {
...
}
- pattern: policy = "$STATEMENT"
- metavariable-pattern:
metavariable: $STATEMENT
language: json
patterns:
- pattern-not-inside: |
{..., "Effect": "Deny", ...}
- pattern-either:
- pattern: >
{..., "Action": [..., "*", ...], "Resource": [..., "*",
...], ...}
- pattern: |
{..., "Action": "*", "Resource": "*", ...}
- pattern: |
{..., "Action": "*", "Resource": [...], ...}
- pattern: |
{..., "Action": [...], "Resource": "*", ...}
message: Detected admin access granted in your policy. This means anyone with
this policy can perform administrative actions. Instead, limit actions and
resources to what you need according to least privilege.
metadata:
category: security
technology:
- aws
- terraform
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: ERROR
Examples
aws-iam-admin-policy.tf
resource "aws_iam_policy" "pass1" {
name = "pass1"
path = "/"
policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:ListBucket*",
"s3:HeadBucket",
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"arn:aws:s3:::b2",
"arn:aws:s3:::b2/*"
],
"Sid": ""
},
{
"Action": "s3:PutObject*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::b1/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_iam_policy" "fail1" {
name = "fail1"
path = "/"
# the policy doesn't actually make sense, but it tests checking arrays for *
# ruleid: aws-iam-admin-policy
policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:HeadBucket",
"*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"*"
],
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_iam_policy" "fail2" {
name = "fail2"
path = "/"
# ruleid: aws-iam-admin-policy
policy = <<POLICY
{
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_iam_policy" "fail3" {
name = "fail3"
path = "/"
# ruleid: aws-iam-admin-policy
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_iam_policy" "fail4" {
name = "fail4"
path = "/"
# implicit allow, not actually valid, but it's a default that we check
# ruleid: aws-iam-admin-policy
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
resource "aws_iam_policy" "pass2" {
name = "pass2"
path = "/"
# deny
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}
Short Link: https://sg.run/1zbw