terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges

profile photo of semgrepsemgrep
Author
unknown
Download Count*

IAM policies that allow full "-" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE

Run Locally

Run in CI

Defintion

rules:
  - id: no-iam-admin-privileges
    pattern-either:
      - patterns:
          - pattern-inside: |
              resource $TYPE "..." {
                ...
                policy = jsonencode({
                  ...
                  Statement = [
                    ...
                  ]
                  ...
                })
                ...
              }
          - pattern-not-inside: |
              resource $TYPE "..." {
                ...
                policy = jsonencode({
                  ...
                  Statement = [
                    ...,
                    {... Effect = "Deny" ...},
                    ...
                  ]
                  ...
                })
                ...
              }
          - patterns:
              - pattern: |
                  {..., Action = "*", ...}
              - pattern: |
                  {..., Resource = "*", ...}
          - metavariable-pattern:
              metavariable: $TYPE
              pattern-either:
                - pattern: |
                    "aws_iam_role_policy"
                - pattern: |
                    "aws_iam_policy"
                - pattern: |
                    "aws_iam_user_policy"
                - pattern: |
                    "aws_iam_group_policy"
      - patterns:
          - pattern-inside: |
              data aws_iam_policy_document "..." {
                ...
                statement {
                  ...
                }
                ...
              }
          - pattern-not-inside: |
              data aws_iam_policy_document "..." {
                ...
                statement {
                  ...
                  effect = "Deny"
                  ...
                }
                ...
              }
          - patterns:
              - pattern: |
                  {..., resources = ["*"], ...}
              - pattern: |
                  {..., actions = ["*"], ...}
    message: IAM policies that allow full "*-*" admin privileges violates the
      principle of least privilege. This allows an attacker to take full control
      over all AWS account resources. Instead, give each user more fine-grained
      control with only the privileges they need. $TYPE
    metadata:
      references:
        - https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py
      category: security
      cwe:
        - "CWE-269: Improper Privilege Management"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      technology:
        - terraform
        - aws
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

no-iam-admin-privileges.tf

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-admin-privileges
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ok: no-iam-admin-privileges
     actions = ["*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     effect = "Deny"
     resources = ["*"]
   }
}

resource "aws_iam_user_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        #ok: no-iam-admin-privileges
        Resource = "*"
        Action = "*"
        Effect = "Deny"
      },
    ]
  })
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      #ruleid: no-iam-admin-privileges
      {
        Resource = "*"
        Action = "*"
      },
    ]
  })
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      #ruleid: no-iam-admin-privileges
      {
        Action = "*"
        Effect = "Allow"
        Resource = "*"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   #ruleid: no-iam-admin-privileges
   statement {
     resources = ["*"]
     actions = ["*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
   }
}