terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal
semgrep
Author
unknown
Download Count*
License
Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
Run Locally
Run in CI
Defintion
rules:
- id: aws-kms-key-wildcard-principal
patterns:
- pattern-inside: |
resource "aws_kms_key" $ANYTHING {
...
}
- pattern: policy = "$STATEMENT"
- metavariable-pattern:
metavariable: $STATEMENT
language: json
patterns:
- pattern-not-inside: |
{..., "Effect": "Deny", ...}
- pattern-either:
- pattern: >
{..., "Principal": "*", "Action": "kms:*", "Resource": "*",
...}
- pattern: >
{..., "Principal": [..., "*", ...], "Action": "kms:*",
"Resource": "*", ...}
- pattern: >
{..., "Principal": { "AWS": "*" }, "Action": "kms:*",
"Resource": "*", ...}
- pattern: >
{..., "Principal": { "AWS": [..., "*", ...] }, "Action":
"kms:*", "Resource": "*", ...}
message: Detected wildcard access granted in your KMS key. This means anyone
with this policy can perform administrative actions over the keys.
Instead, limit principals, actions and resources to what you need
according to least privilege.
metadata:
category: security
technology:
- aws
- terraform
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: ERROR
Examples
aws-kms-key-wildcard-principal.tf
resource "aws_kms_key" "fail_0" {
description = "description"
# ruleid: aws-kms-key-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
},
]
}
POLICY
}
resource "aws_kms_key" "fail_1" {
description = "description"
# ruleid: aws-kms-key-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": ["foo","*"],
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "fail_2" {
description = "description"
# ruleid: aws-kms-key-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "fail_3" {
description = "description"
# ruleid: aws-kms-key-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": ["foo","*"],
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "fail_4" {
description = "description"
# ruleid: aws-kms-key-wildcard-principal
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"*"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "pass_0" {
description = "description"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "pass_1" {
description = "description"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "pass_2" {
description = "description"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "foo",
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_kms_key" "pass_3" {
description = "description"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": ["foo","bar"],
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
Short Link: https://sg.run/Nwlp