terraform.aws.security.wildcard-assume-role.wildcard-assume-role

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: arn:aws:iam::<account_id>:root.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wildcard-assume-role
    patterns:
      - pattern-inside: |
          resource "aws_iam_role" $NAME {
            ...
          }
      - pattern: assume_role_policy = "$STATEMENT"
      - metavariable-pattern:
          metavariable: $STATEMENT
          language: json
          patterns:
            - pattern-inside: |
                {..., "Effect": "Allow", ..., "Action": "sts:AssumeRole", ...}
            - pattern: |
                "Principal": {..., "AWS": "*", ...}
    message: "Detected wildcard access granted to sts:AssumeRole. This means anyone
      with your AWS account ID and the name of the role can assume the role.
      Instead, limit to a specific identity in your account, like this:
      `arn:aws:iam::<account_id>:root`."
    metadata:
      cwe:
        - "CWE-250: Execution with Unnecessary Privileges"
      category: security
      technology:
        - aws
      references:
        - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
      owasp:
        - A06:2017 - Security Misconfiguration
        - A05:2021 - Security Misconfiguration
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: ERROR

Examples

wildcard-assume-role.tf

resource "aws_iam_role" "bad" {
  name = var.role_name
  # ruleid: wildcard-assume-role
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
POLICY
}

resource "aws_iam_role" "ok" {
  name = var.role_name
  # ok: wildcard-assume-role
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
      "Condition": {}
    }
  ]
}
POLICY
}