terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-kms-key-wildcard-principal
    patterns:
      - pattern-inside: |
          resource "aws_kms_key" $ANYTHING {
            ...
          }
      - pattern: policy = "$STATEMENT"
      - metavariable-pattern:
          metavariable: $STATEMENT
          language: json
          patterns:
            - pattern-not-inside: |
                {..., "Effect": "Deny", ...}
            - pattern-either:
                - pattern: >
                    {..., "Principal": "*", "Action": "kms:*", "Resource": "*",
                    ...}
                - pattern: >
                    {..., "Principal": [..., "*", ...], "Action": "kms:*",
                    "Resource": "*", ...}
                - pattern: >
                    {..., "Principal": { "AWS": "*" }, "Action": "kms:*",
                    "Resource": "*", ...}
                - pattern: >
                    {..., "Principal": { "AWS": [..., "*", ...] }, "Action":
                    "kms:*", "Resource": "*", ...}
    message: Detected wildcard access granted in your KMS key. This means anyone
      with this policy can perform administrative actions over the keys.
      Instead, limit principals, actions and resources to what you need
      according to least privilege.
    metadata:
      category: security
      technology:
        - aws
        - terraform
      owasp:
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-732: Incorrect Permission Assignment for Critical Resource"
      references:
        - https://cwe.mitre.org/data/definitions/732.html
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: ERROR

Examples

aws-kms-key-wildcard-principal.tf

resource "aws_kms_key" "fail_0" {
  description = "description"
  # ruleid: aws-kms-key-wildcard-principal
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:*",
      "Resource": "*"
    },   
  ]
}
POLICY  
}

resource "aws_kms_key" "fail_1" {
  description = "description"
  # ruleid: aws-kms-key-wildcard-principal
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": ["foo","*"],
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "fail_2" {
  description = "description"
  # ruleid: aws-kms-key-wildcard-principal
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "fail_3" {
  description = "description"
  # ruleid: aws-kms-key-wildcard-principal
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": ["foo","*"],
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "fail_4" {
  description = "description"
  # ruleid: aws-kms-key-wildcard-principal
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [ 
          "arn:aws:iam::111122223333:root",
          "*"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    }   
  ]
}
POLICY  
}

resource "aws_kms_key" "pass_0" {
  description = "description"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "pass_1" {
  description = "description"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "pass_2" {
  description = "description"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "foo",
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}

resource "aws_kms_key" "pass_3" {
  description = "description"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": ["foo","bar"],
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
POLICY  
}